On Thu, 2010-06-17 at 17:12 +0100, Darren J Moffat wrote:
> On 17/06/2010 16:21, Garrett D'Amore wrote:
> > While ARC may or may not be the best place to review changes to the
> > certificate list (it probably isn't), I think we should like to know how
> > revisions will be made -- i.e. who decides when a change is appropriate
> > and what the change will be? The project team? You? C-Team? P-Team?
>
> The appropriate security team at the company producing the distribution
> based on the OpenSolaris source code. That may not be the same people
> as the security functionality engineering teams.
>
> This is an internal policy decision for each distribution and as such
> for Oracle's distribution(s) based on the OpenSolaris codebase will not
> be discussed further here.
>
> This project is delivering into the onnv gate the same initial set as
> what Firefox/Thunderbird uses, other distributions are free to use that
> as a starting point.
By that argument, one could say the same thing about Oracle's
distribution -- that it could modify the initial set in its distribution
without having to change what is in ON.
I realize that this is probably not an acceptable answer. :-)
But its also the case that ARC has historically been responsible for
reviewing the decisions that go into the final binary product
("distribution", or "WOS", if you prefer). So issues that affect that
product certainly fall within ARC review, unless mgmt has changed the
rules in a way that I don't know about.
I don't think it is necessarily true that these decisions or review, or
even a review of the process itself, have to be in the "open", but I do
think that it is probably best if there is at least an internal closed
review covering the process used to manage this list in the final
product. One hopes there is a documented process somewhere! For the
purposes of this case, a link (even one only available internally) to a
document describing the process would IMO satisfy the architectural
considerations.
As far as the open community goes, I think its perfectly reasonable to
state that the list in the source code is a sample set only, and subject
to change at whim; and that distribution builders are responsible for
ensuring that the set they ship is appropriate for their own needs.
- Garrett
_______________________________________________
opensolaris-arc mailing list
[email protected]
