[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security patches

On Sat, 2003-11-29 at 22:53, Colin Walters wrote:

> > Nevertheless I again would like to suggest a policy that forces the
> > maintainers of packages to deliver informations about used system
> > resources
> > of their programs. 

However, this is not such a bad idea, if you don't try to be too formal
about it.  If maintainers shipped English descriptions (say,
README.Security) of what the security implications of their programs
were, it could be very helpful for people writing security policies. 
These people would include the Debian maintainers of various security
systems, as well as end-user system administrators.

For example, the Apache maintainer might write (I'm making this up):

In its most basic configuration, this package runs as a daemon listening
on port 80.  It does not require write access to any portion of the
filesystem.  It has no sensitive files (such as cryptographic keys).

However, this package can use a variety of modules.  Adding the
postgresql module will require the ability to use a Unix domain socket
/var/tmp/postgres.  Adding the foo module will require...

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: