> * MUST NOT introduce security risks. I'd rephrase "MUST NOT contain known security vulnerabilities" and "MUST specify a security vulnerability reporting contact point".
This would take the ambiguity out of a security *risk* (almost nothing is risk-free). Vulnerabilities, however, are more tangible. There is, of course, still a class of vulnerabilities that could result in a debate, but much less so than when talking about risk. "Known" is also tricky - known by whom? - but it could suffice, as if anyone who is actually involved in this QA checking "knows", it would trigger this. The contact point would usually be an email address and perhaps an associated GPG key, but the bug tracker could also suffice if the project is really keen on full disclosure. - Antti _______________________________________________ maemo-developers mailing list [email protected] https://lists.maemo.org/mailman/listinfo/maemo-developers
