| 1 |
Hi, |
| 2 |
|
| 3 |
I'd like to introduce the following security policy for web-based apps. |
| 4 |
If there are no objections, every new web-based app will have to conform |
| 5 |
to the policy before it can be added to the tree. Every existing |
| 6 |
web-based app will have to conform to the policy by the end of August, |
| 7 |
or I will remove it from the tree. |
| 8 |
|
| 9 |
The proposed policy is simply that: |
| 10 |
|
| 11 |
1. The Gentoo package's maintainer will identify one *named* contact |
| 12 |
UPSTREAM for security-related matters, and one named general contact |
| 13 |
UPSTREAM (as a fallback for when the security contact is |
| 14 |
unreachable). |
| 15 |
2. This information will be held on the Dev Wiki. |
| 16 |
3. This information will be checked every three months to ensure it |
| 17 |
remains valid. |
| 18 |
4. In situations where the UPSTREAM contacts are unreachable, and no |
| 19 |
new contact can be identified, the package will be masked and |
| 20 |
marked for removal from the Portage tree (ie it fails this policy) |
| 21 |
|
| 22 |
I believe that security holes will be discovered from time to time. I |
| 23 |
want to make sure that, when a hole has been found, everything's in |
| 24 |
place for us to work with UPSTREAM at the greatest possible speed to get |
| 25 |
things resolved. |
| 26 |
|
| 27 |
I would rather we only distributed web-based apps where we can be |
| 28 |
confident that security is taken appropriately seriously UPSTREAM. Web |
| 29 |
servers are too easy a target for us to be distributing software we |
| 30 |
can't be confident about. |
| 31 |
|
| 32 |
Thoughts, comments, other (constructive) feedback? |
| 33 |
|
| 34 |
Best regards, |
| 35 |
Stu |
| 36 |
-- |
| 37 |
Stuart Herbert stuart@g.o |
| 38 |
Gentoo Developer http://www.gentoo.org/ |
| 39 |
http://stu.gnqs.org/diary/ |
| 40 |
|
| 41 |
GnuGP key id# F9AFC57C available from http://pgp.mit.edu |
| 42 |
Key fingerprint = 31FB 50D4 1F88 E227 F319 C549 0C2F 80BA F9AF C57C |
| 43 |
-- |
Archives