Security testing: need for a security policy, and a security-critical package process

Gene Czarcinski gene at czarc.net
Tue Dec 1 20:10:29 UTC 2009


On Tuesday 01 December 2009 13:04:02 Eric Christensen wrote:
> On Tue, Dec 1, 2009 at 12:47, Gene Czarcinski <gene at czarc.net> wrote:
> > On Monday 30 November 2009 18:16:50 Adam Williamson wrote:
> >  > Where I'm currently at is that I'm going to talk to some Red Hat /
> > >
> > > Fedora security folks about the issues raised in all the discussions
> > > about this, including this thread, and then file a ticket to ask FESco
> > > to look at the matter, possibly including a proposed policy if the
> > > security folks help come up with one. And for the moment, only really
> > > concerned with the question of privileges.
> >
> > Start small with just privilege escalation and it can be grown to be
> > something
> > more comprehensive.  FESco is the right place to go and see what the
> > project
> > wants to do.
> 
> There is already a security policy in place.  It's not formalized nor is it
> written down but it's there.  It's the current posture of Fedora.  We set a
> root passphrase at the beginning of install and we give people the option
>  of securing GRUB with a passphrase and encrypting the hard drive.  We also
>  have the unwritten rule of user privileges.
> 
> It may be time to document our current posture to at least show where we
>  are and the standard we expect all developers to live up to.   In the
>  process of documenting you may find that we are lacking somewhere.

Yes, there has always been a security policy as defined by the written code 
(software).  But, that is subject to individual interpretation.  I agree that 
creating a written security policy is likely to identify shortcomings such as 
my point about the GRUB password.

Lots of folks who use computers clearly do not understand the underlying 
technology and are clearly not paranoid enough.  Given a home computer, do you 
really want your teenager installing file-sharing software.  Recently, the US 
Congress discovered that some of their users had installed file-sharing 
software --- and the result was not positive.

Fedora needs to provide good functionality while keeping our collective sanity 
... we need software which is not just easy to use but is smarter about how it 
is used.

Gene




More information about the devel mailing list