1 |
Hi, |
2 |
|
3 |
I'd like to introduce the following security policy for web-based apps. |
4 |
If there are no objections, every new web-based app will have to conform |
5 |
to the policy before it can be added to the tree. Every existing |
6 |
web-based app will have to conform to the policy by the end of August, |
7 |
or I will remove it from the tree. |
8 |
|
9 |
The proposed policy is simply that: |
10 |
|
11 |
1. The Gentoo package's maintainer will identify one *named* contact |
12 |
UPSTREAM for security-related matters, and one named general contact |
13 |
UPSTREAM (as a fallback for when the security contact is |
14 |
unreachable). |
15 |
2. This information will be held on the Dev Wiki. |
16 |
3. This information will be checked every three months to ensure it |
17 |
remains valid. |
18 |
4. In situations where the UPSTREAM contacts are unreachable, and no |
19 |
new contact can be identified, the package will be masked and |
20 |
marked for removal from the Portage tree (ie it fails this policy) |
21 |
|
22 |
I believe that security holes will be discovered from time to time. I |
23 |
want to make sure that, when a hole has been found, everything's in |
24 |
place for us to work with UPSTREAM at the greatest possible speed to get |
25 |
things resolved. |
26 |
|
27 |
I would rather we only distributed web-based apps where we can be |
28 |
confident that security is taken appropriately seriously UPSTREAM. Web |
29 |
servers are too easy a target for us to be distributing software we |
30 |
can't be confident about. |
31 |
|
32 |
Thoughts, comments, other (constructive) feedback? |
33 |
|
34 |
Best regards, |
35 |
Stu |
36 |
-- |
37 |
Stuart Herbert stuart@g.o |
38 |
Gentoo Developer http://www.gentoo.org/ |
39 |
http://stu.gnqs.org/diary/ |
40 |
|
41 |
GnuGP key id# F9AFC57C available from http://pgp.mit.edu |
42 |
Key fingerprint = 31FB 50D4 1F88 E227 F319 C549 0C2F 80BA F9AF C57C |
43 |
-- |