On Thu, 2010-06-17 at 10:54 +0100, Darren J Moffat wrote:
My only concern is this paragraph:
>
> The project team reserves the right to revise the exact list of
> certificates and/or choose an entirely different source of certifcates
> at anytime without requiring further ARC review.
>
While ARC may or may not be the best place to review changes to the
certificate list (it probably isn't), I think we should like to know how
revisions will be made -- i.e. who decides when a change is appropriate
and what the change will be? The project team? You? C-Team? P-Team?
I think there should be at least *some* review by some group of people
when something so important to the security of the underlying system is
changed. So I'd like to know more about what is intended here.
And I think understanding what this review would be is part of the
fundamental architecture of the case, so I think its appropriate to
discuss here.
- Garrett
_______________________________________________
opensolaris-arc mailing list
[email protected]
