[maemo-developers] maemo-developers Digest, Vol 59, Issue 25

From: Graham Cobb g+770 at cobb.uk.net
Date: Fri Mar 26 16:35:22 EET 2010
On Friday 26 March 2010 11:53:43 Attila Csipa wrote:
> > All security comments are insane in my opinion. If some person really
> > wants to be evil, there is nothing in our process that would block that
> > except by accident.
>
> I would rather say that it's more of a formulation issue. It would be more
> correct to say that a *known* or *detected* security flaw is a blocker.
> Passing Extras-testing is not equivalent to a security audit - it just
> means there is no glaring security issue known at the time. I can't say I
> would be happy on thumbing up an application is discovered to, say, set a
> default root password (I'm good at far fetched examples, too ;)

Of course, there is some security benefit from the process -- some glaring 
security problems may be spotted.  However, I agree that this is not at all a 
security audit.  The biggest security benefit of the Extras repository is 
knowing that it is backed by a team who will be able to take action (such as 
remove the app) if an app is discovered to be a serious security issue.  That 
is not true for extras-devel, and may not be true for 3rd party repositories.

Graham
More information about the maemo-developers mailing list