Security policy oversight needed?

[Jesse Keating]

On Thu, 2009-11-19 at 10:05 -0500, Peter Jones wrote:
> 
> Mike's suggestion of a distro-wide policy is one way to do that, and on it's
> face, it's certainly a lot more practical than a distro wide change control
> board auditing for security relevant changes, or even sillier, expecting
> package maintainers to identify when a change has security implications and
> come asking what they should do.  A "command" infrastructure does not fit
> Fedora or Linux very well.
> 
> I think the policy should be in two parts, though.  Mike's suggestion is good;
> we need general guidelines as to what roles which classes of users are expected
> to fulfill.  We probably also need some packaging policy for applications
> providing escalated privileges via policy kit, like we already have for setuid
> utilities. 

I am in strong agreement here.  A guiding (set of) polic{y,ies} is what
is needed, to help the maintainers who have control make decisions that
fit well with what the Fedora project (or individual spin) is trying to
offer.  We don't need more rubber stamp meetings, just better
guidelines.

Should this be part of the Packaging guidelines, or a different set of
design guidelines?

-- 
Jesse Keating
Fedora -- Freedom² is a feature!
identi.ca: http://identi.ca/jkeating
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091119/36453a56/attachment.sig>