On Sat, 2003-11-29 at 22:53, Colin Walters wrote: > > Nevertheless I again would like to suggest a policy that forces the > > maintainers of packages to deliver informations about used system > > resources > > of their programs. However, this is not such a bad idea, if you don't try to be too formal about it. If maintainers shipped English descriptions (say, README.Security) of what the security implications of their programs were, it could be very helpful for people writing security policies. These people would include the Debian maintainers of various security systems, as well as end-user system administrators. For example, the Apache maintainer might write (I'm making this up): README.Security: In its most basic configuration, this package runs as a daemon listening on port 80. It does not require write access to any portion of the filesystem. It has no sensitive files (such as cryptographic keys). However, this package can use a variety of modules. Adding the postgresql module will require the ability to use a Unix domain socket /var/tmp/postgres. Adding the foo module will require...
Attachment:
signature.asc
Description: This is a digitally signed message part