Criterion proposal: security

Adam Williamson awilliam at redhat.com
Fri Oct 26 19:44:24 UTC 2012 

On Fri, 2012-10-26 at 19:33 +0000, "Jóhann B. Guðmundsson" wrote:
> On 10/26/2012 07:14 PM, Adam Williamson wrote:
> > I wanted to raise the question of whether it makes
> > sense in general to hold our releases for some security bugs. Right now
> > we have no capacity to do that.
> 
> I dont think that should be for us to decide. When we encounter 
> potential security issue in the development release cycle we should just 
> forward those issue to the security team to determine if that's the case 
> and let's assume it is then *they* would contact fesco which in turn 
> decides if the release should be *delayed* or not until that security 
> issue has been addressed.
> 
> Given that these issue are few and far in between I dont think it 
> warrants an specific criteria surrounding it but should rather be dealt 
> on a case by case bases.

Oh, and in case this helps, I wasn't planning on adding a test case
which says 'go test the entire distribution for security issues', or
anything. The idea was just that this would be a criterion we would
'hold in reserve' to use when security issues were elevated to our
attention.

So really it just provides a mechanism for us to take a security issue
that someone has raised that really seems to be a problem, and give it
blocker status.

I think with the feedback we've seen so far that we can say the original
proposal was substantially too broad, so how about this as a revised
proposal - for now, we just add a single Final release criterion which
reads:

"The release must contain no known security issues of 'important' or
higher impact according to the Red Hat severity classification scale
which cannot be satisfactorily resolved by a package update (e.g. issues
during installation)"

? How does that sound to everyone? It drops the issue entirely for Alpha
and Beta, and means we only consider bad issues that cannot be fixed
with an update for Final.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the test mailing list