On Wednesday 28 October 2009 18:28:24 Antti Vähä-Sipilä wrote: > > * MUST NOT introduce security risks. > > I'd rephrase "MUST NOT contain known security vulnerabilities" and > "MUST specify a security vulnerability reporting contact point".
The second requirement is not reasonable. Many small programs, particularly one-person projects, don't need "a security vulnerability reporting contact point". There is already a maintainer field (mandatory) and the maintainer is the contact point. In fact, I am not even keen to allow an optional security vulnerability reporting contact point as that will mean creating yet another Maemo-specific package control field. And "known" means known by the developer -- no more and no less. Of course, once a tester has found a security bug and reported it, it is known by the developer so that means it cannot proceed until the bug is fixed. Graham _______________________________________________ maemo-developers mailing list [email protected] https://lists.maemo.org/mailman/listinfo/maemo-developers
