[maemo-developers] Extras QA checklist
From: Jeremiah Foster jeremiah at jeremiahfoster.comDate: Wed Oct 28 21:02:12 EET 2009
- Previous message: Extras QA checklist
- Next message: Extras QA checklist
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Oct 28, 2009, at 19:28, Antti Vähä-Sipilä wrote: >> * MUST NOT introduce security risks. > > I'd rephrase "MUST NOT contain known security vulnerabilities" and > "MUST specify a security vulnerability reporting contact point". This makes sense to me. > > This would take the ambiguity out of a security *risk* (almost nothing > is risk-free). Vulnerabilities, however, are more tangible. There is, > of course, still a class of vulnerabilities that could result in a > debate, but much less so than when talking about risk. > > "Known" is also tricky - known by whom? - but it could suffice, as if > anyone who is actually involved in this QA checking "knows", it would > trigger this. Perhaps a check against the CVE database? > > The contact point would usually be an email address and perhaps an > associated GPG key, but the bug tracker could also suffice if the > project is really keen on full disclosure. Seems reasonable. Jeremiah
- Previous message: Extras QA checklist
- Next message: Extras QA checklist
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]