[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Security testing: need for a security policy, and a security-critical package process



On Mon, Nov 23, 2009 at 9:10 PM, Adam Williamson <awilliam redhat com> wrote:
> Having said that - is everyone agreeing that it's fine for each spin SIG
> to be entirely in charge of defining and implementing security policy
[snip]

Different spins having different security makes sense, especially if the
differences are well documented.

Hopefully the differences are an invitation to do bone-headed things:

If some some spin decided to make every user run as root, ship with no
firewalling,
have password-less accounts, or have insecure services enabled by
default, etc. it
would risk tarnishing the Fedora image and result in Fedora being
banned from networks
even if it really was just the insecure-spin.  I'm sure that everyone
can be trusted
not to do these things, but it may be worth stating explicitly that
security should
be a goal for all spins— only the details of the trade-offs should differ.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]