[maemo-developers] Extras QA checklist

From: Graham Cobb g+770 at cobb.uk.net
Date: Thu Oct 29 00:49:18 EET 2009
On Wednesday 28 October 2009 18:28:24 Antti Vähä-Sipilä wrote:
> >  * MUST NOT introduce security risks.
>
> I'd rephrase "MUST NOT contain known security vulnerabilities" and
> "MUST specify a security vulnerability reporting contact point".

The second requirement is not reasonable.  Many small programs, particularly 
one-person projects, don't need "a security vulnerability reporting contact 
point".  There is already a maintainer field (mandatory) and the maintainer 
is the contact point.  In fact, I am not even keen to allow an optional 
security vulnerability reporting contact point as that will mean creating yet 
another Maemo-specific package control field.

And "known" means known by the developer -- no more and no less.  Of course, 
once a tester has found a security bug and reported it, it is known by the 
developer so that means it cannot proceed until the bug is fixed.

Graham
More information about the maemo-developers mailing list