Criterion proposal: security

Adam Williamson awilliam at redhat.com
Thu Nov 8 02:29:06 UTC 2012 

On Fri, 2012-10-26 at 12:49 -0700, Adam Williamson wrote:
> On Fri, 2012-10-26 at 12:44 -0700, Adam Williamson wrote:
> 
> > I think with the feedback we've seen so far that we can say the original
> > proposal was substantially too broad, so how about this as a revised
> > proposal - for now, we just add a single Final release criterion which
> > reads:
> > 
> > "The release must contain no known security issues of 'important' or
> > higher impact according to the Red Hat severity classification scale
> > which cannot be satisfactorily resolved by a package update (e.g. issues
> > during installation)"
> > 
> > ? How does that sound to everyone? It drops the issue entirely for Alpha
> > and Beta, and means we only consider bad issues that cannot be fixed
> > with an update for Final.
> 
> Hmm, actually, let's change 'issues' to 'bugs' there, I think that makes
> it clearer that we're talking about things that have actually been
> accepted as bugs - it avoids any suggestion we'd be wading into the
> debate about what actually constitutes a security issue, as Johann was
> concerned about. So:
> 
> "The release must contain no known security bugs of 'important' or
> higher impact according to the Red Hat severity classification scale
> which cannot be satisfactorily resolved by a package update (e.g. issues
> during installation)"
> 
> with the understanding that QA would never use this to wade into
> something like the sshd question and declare that it was a Bug That Must
> Be Fixed. It applies only to things that are clearly agreed to be actual
> bugs.

As this got generally ack'ed and no-one complained, I've pushed it into
production now in the Final criteria -
https://fedoraproject.org/wiki/Fedora_18_Final_Release_Criteria . I also
moved the 'upgrade' criterion up a bit into what I think of as the
'install section' at the same time, so the change is a bit confused,
sorry about that. (The criteria are roughly organized into component
groups, though this isn't clearly called out, another deficiency of the
current layout).
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the test mailing list