Hi, On Tue, 2008-05-20 at 17:21 -0300, Luciano Bello wrote: > Hi list, > I was thinking about the Debian/OpenSSL debacle. Clearly it not easy to > manage a hard meticulous QA process in all packages. In the other hand, there > are packages more critical than others, which are more delicate to security. > Sometimes, those packages have different priorities in the policy meaning. > Maybe we can implement this as an Optional header in the control. > The point is: if we can create critical QA category for delicate packages in > the security sense we can have mandatory QA requirement. For example: > - It should be checked with debugging tools (like valgrind :P) Isn't valgrind how we got into this mess to begin with? > - It should maintained by a team > - It should a public VCS > - Its patches should be sign-off by reviewers (Raphael Hertzog (hertzog@) > proposed something like this) > > You can extend or reduce this list. We can discuss about the implementation. > But I mainly want to know your opinion. > Please, paste the URL if you discussed this in the pass. > > luciano I think for critical packages, valgrind prettyness isn't something to care about (unless the interest is generating suppressions). William
Attachment:
signature.asc
Description: This is a digitally signed message part