Garrett D'Amore wrote: >... >Specifically, we seem to have cases which basically want to elide ARC >review, because they are adhering to (or importing from) FOSS software. >What is the point of bringing such cases to ARC at all? >... > >How do we reconcile the issues that arise when software >developed/delivered without ARC review (or with all the normal Big Rules >for Solaris software "waived" because of upstream purity) becomes used >for "core" parts of Solaris. (E.g. when pkcs11_pam is used as a key >piece of our Solaris authentication strategy, but fails to meet certain >"Big Rules" for Solaris security?) >
The counter example to that is the components of Solaris that have come from FOSS communities for years: ipfilter, named and sendmail are three very important components of Solaris and exist as products in the open source world. Each of these three has been brought before PSARC, once or twice or more and have been subject to the usual kinds of review. If one was to use the above precedents as laying the ground work for how future software should be considered then there is no question about what should be expected from current and future cases - including pkcs11_pam. So until there is official communication indicating that we should be doing something else, perhaps the best we can do is to use established case history as a guide. Darren
