Security testing: need for a security policy, and a security-critical package process
Gregory Maxwell
gmaxwell at gmail.com
Tue Nov 24 02:18:10 UTC 2009
On Mon, Nov 23, 2009 at 9:10 PM, Adam Williamson <awilliam at redhat.com> wrote:
> Having said that - is everyone agreeing that it's fine for each spin SIG
> to be entirely in charge of defining and implementing security policy
[snip]
Different spins having different security makes sense, especially if the
differences are well documented.
Hopefully the differences are an invitation to do bone-headed things:
If some some spin decided to make every user run as root, ship with no
firewalling,
have password-less accounts, or have insecure services enabled by
default, etc. it
would risk tarnishing the Fedora image and result in Fedora being
banned from networks
even if it really was just the insecure-spin. I'm sure that everyone
can be trusted
not to do these things, but it may be worth stating explicitly that
security should
be a goal for all spins— only the details of the trade-offs should differ.
More information about the devel
mailing list