[maemo-developers] Extras QA checklist

From: Antti Vähä-Sipilä avs at iki.fi
Date: Wed Oct 28 20:28:24 EET 2009
>  * MUST NOT introduce security risks.

I'd rephrase "MUST NOT contain known security vulnerabilities" and  
"MUST specify a security vulnerability reporting contact point".

This would take the ambiguity out of a security *risk* (almost nothing  
is risk-free). Vulnerabilities, however, are more tangible. There is,  
of course, still a class of vulnerabilities that could result in a  
debate, but much less so than when talking about risk.

"Known" is also tricky - known by whom? - but it could suffice, as if  
anyone who is actually involved in this QA checking "knows", it would  
trigger this.

The contact point would usually be an email address and perhaps an  
associated GPG key, but the bug tracker could also suffice if the  
project is really keen on full disclosure.

- Antti
More information about the maemo-developers mailing list