On Tue, Dec 19, 2006 at 10:31:51AM -0500, Stephen Smalley wrote: > On Tue, 2006-12-19 at 09:26 -0600, Klaus Weidner wrote: > > On Tue, Dec 19, 2006 at 09:14:03AM -0600, Klaus Weidner wrote: > > > [...] so it would be inappropriate to say that "SELinux" meets the > > > requirements. You need to consider the developer (Red Hat) and the > > > sponsor (who usually provides additional testing and documents) also. > > > > I didn't mean to imply that Red Hat was solely developing the software, > > it's of course a community effort. It was intended as an example of what > > the CC process considers to be the developer in such an evaluation, since > > the CC are not designed to evaluate open source as such. > > "vendor" or "distributor" might be clearer.
I agree that it would be clearer - I was referring to the CC terminology, those documents use "developer" and "sponsor". For evaluation purposes, a Linux vendor needs to take some responsibility for the "developer" role since the open source development process generally doesn't provide enough evidence to meet the assurance requirements on its own. For example, evaluations usually include a site visit to verify the security of the development process itself, which includes physical site security. That's hard to do for "Linux" as a whole... -Klaus -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
