Jonathan Kamens <jik@kamens.us> writes: > Speaking as someone who has been in the driver's seat for multiple ISO > 27001, SOC 2, and PCI DSS audits: > > ISO 27001 certification for Debian would, in my opinion, be mostly > pointless and would not bring nearly enough benefit to justify the > significant cost in money, time, and effort. Four reasons: > > 1) Debian's infosec practices are leaps and bounds above those of most > entities that have ISO 27001 certification. Getting audited will not > help Debian significantly improve or become significantly more secure. Debian's handling of the archive crypto key could definitely be improved, and I'd be surprised if available public documentation of Debian's processes around this would live up to ISO 27001 scrutiny or even Debian's preference to not hide things from our users. I agree with you that ISO 27001 certications are often pointless, but I would disagree that Debian would not be improved by further documentation and transparency work. There is little assurance that the archive private key isn't leaked by unknown key holders, or it may even be generated on proprietary compromised devices. /Simon
Attachment:
signature.asc
Description: PGP signature