[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Security testing: need for a security policy, and a security-critical package process
- From: Gene Czarcinski <gene czarc net>
- To: fedora-devel-list redhat com, fedora-security-list redhat com
- Cc:
- Subject: Re: Security testing: need for a security policy, and a security-critical package process
- Date: Tue, 1 Dec 2009 12:38:25 -0500
On Monday 30 November 2009 22:40:07 Hal Murray wrote:
> gene czarc net said:
> ...
>
> > A written description of the security policy is a must!
>
> ...
>
> Is the idea of a single one-size-fits-all security policy reasonable? I
> think Fedora has a broad range of users.
>
No. Initially, I recommend one security policy and one reference
implementation to test against. Each variation needs its own security policy
and reference implementation definition. Later ones are easier to create
because they can use the early ones as "guidance".
So, why go through all of this paperwork and bureaucratic bullshit? Well,
those of us who have done this before believe that it is necessary. I do not
like the bureaucratic BS any more than anyone else but, if you do not do it,
then you are not quite sure what you have when you say that something meets
security requirements.
Gene
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]