On Monday 30 November 2009 22:40:07 Hal Murray wrote:
gene(a)czarc.net said:
...
> A written description of the security policy is a must!
...
Is the idea of a single one-size-fits-all security policy reasonable? I
think Fedora has a broad range of users.
No. Initially, I recommend one security policy and one reference
implementation to test against. Each variation needs its own security policy
and reference implementation definition. Later ones are easier to create
because they can use the early ones as "guidance".
So, why go through all of this paperwork and bureaucratic bullshit? Well,
those of us who have done this before believe that it is necessary. I do not
like the bureaucratic BS any more than anyone else but, if you do not do it,
then you are not quite sure what you have when you say that something meets
security requirements.
Gene