[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: Information Needed: Testing evidence for passwdqc

Hello,

My apologies for responding late , and thanks for the information .

I’ll make sure to use that email in the future for better tracking.

I appreciate the clarification about the absence of direct tests for passwdqc.

And currently, we are discussing in CIP how can we support by contributing to selected packages.
We have already started in the direction to add autopkgtest support e.g. fail2ban, tpm2-tss and in future more packages will be selected based on available resources.

Additionally, I will explore the suggested option of requesting support via a bug report and the team’s mailing list.

Thanks & Regards
Zaiba Sanglikar


-----Original Message-----
From: Samuel Henrique <samueloph@debian.org> 
Sent: Tuesday, April 9, 2024 3:54 AM
To: sanglikar zaiba(TSIP TEUR) <Zaiba.Sanglikar@toshiba-tsip.com>
Cc: team+pkg-security@tracker.debian.org; dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-tsip.com>; kunijadar shivanand(TSIP TMIEC ODG Porting) <Shivanand.Kunijadar@toshiba-tsip.com>; ashrith sai(TSIP) <Sai.Sathujoda@toshiba-tsip.com>; balakumar adithya(TSIP TEUR) <Adithya.Balakumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
Subject: Re: Information Needed: Testing evidence for passwdqc

Hello, next time, please consider emailing the team at "Debian Security Tools Packaging Team <debian-security-tools@lists.debian.org>", this lowers the chances of the email being missed.

In theory we monitor both addresses, but the one I suggested has better tracking.

> I hope this message finds you well. I'm  working for CIP (Civil Infrastructure Platform https://wiki.linuxfoundation.org/civilinfrastructureplatform/start) project , where we're currently working to get IEC-62443-4 assessment.
> CIP being an Open Source Project, it just reuses upstream binary packages to generate reference images. For IEC-62443 assessment we need to produce test evidence for certain packages which are used to meet IEC security requirements.
> Since as part of CIP no modifications are done in any package, so we don’t test any package and reusing upstream test evidence is sufficient for IEC-62443 assessment.
> I had a look into the salsa repo for the passwdqc 
> https://salsa.debian.org/pkg-security-team/passwdqc
> Didn't find any explicit way to test the package nor found any test evidence available which can be reused for the package passwdqc.
> Sharing any proof that the package has been tested or the procedures for doing so would be very beneficial.

I've checked both the packaging and the upstream source and it doesn't look like we are running tests there.

We still run the other Debian tests as part of the process, like the reproducibility tests, piuparts, hardening checks (blhc), and integration tests of reverse-build deps (if any). But there are no direct tests of passwqdc itself, no upstream tests and no packaging tests under "debian/tests".

If it makes sense for you, and you have available time, feel free to submit an autopkgtest on salsa.

You can also request someone to do it via a bug report and the team's mailing list, but it will depend on someone being available to implement it.

Cheers,

--
Samuel Henrique <samueloph>
Reply to: