[maemo-developers] Extras QA checklist

From: Jeremiah Foster jeremiah at jeremiahfoster.com
Date: Wed Oct 28 21:02:12 EET 2009
On Oct 28, 2009, at 19:28, Antti Vähä-Sipilä wrote:

>> * MUST NOT introduce security risks.
> I'd rephrase "MUST NOT contain known security vulnerabilities" and
> "MUST specify a security vulnerability reporting contact point".

This makes sense to me.
> This would take the ambiguity out of a security *risk* (almost nothing
> is risk-free). Vulnerabilities, however, are more tangible. There is,
> of course, still a class of vulnerabilities that could result in a
> debate, but much less so than when talking about risk.
> "Known" is also tricky - known by whom? - but it could suffice, as if
> anyone who is actually involved in this QA checking "knows", it would
> trigger this.

Perhaps a check against the CVE database?
> The contact point would usually be an email address and perhaps an
> associated GPG key, but the bug tracker could also suffice if the
> project is really keen on full disclosure.

Seems reasonable.

More information about the maemo-developers mailing list