On Oct 28, 2009, at 19:28, Antti Vähä-Sipilä wrote: >> * MUST NOT introduce security risks. > > I'd rephrase "MUST NOT contain known security vulnerabilities" and > "MUST specify a security vulnerability reporting contact point".
This makes sense to me. > > This would take the ambiguity out of a security *risk* (almost nothing > is risk-free). Vulnerabilities, however, are more tangible. There is, > of course, still a class of vulnerabilities that could result in a > debate, but much less so than when talking about risk. > > "Known" is also tricky - known by whom? - but it could suffice, as if > anyone who is actually involved in this QA checking "knows", it would > trigger this. Perhaps a check against the CVE database? > > The contact point would usually be an email address and perhaps an > associated GPG key, but the bug tracker could also suffice if the > project is really keen on full disclosure. Seems reasonable. Jeremiah _______________________________________________ maemo-developers mailing list [email protected] https://lists.maemo.org/mailman/listinfo/maemo-developers
