Hi, I'd like to introduce the following security policy for web-based apps. If there are no objections, every new web-based app will have to conform to the policy before it can be added to the tree. Every existing web-based app will have to conform to the policy by the end of August, or I will remove it from the tree.
The proposed policy is simply that: 1. The Gentoo package's maintainer will identify one *named* contact UPSTREAM for security-related matters, and one named general contact UPSTREAM (as a fallback for when the security contact is unreachable). 2. This information will be held on the Dev Wiki. 3. This information will be checked every three months to ensure it remains valid. 4. In situations where the UPSTREAM contacts are unreachable, and no new contact can be identified, the package will be masked and marked for removal from the Portage tree (ie it fails this policy) I believe that security holes will be discovered from time to time. I want to make sure that, when a hole has been found, everything's in place for us to work with UPSTREAM at the greatest possible speed to get things resolved. I would rather we only distributed web-based apps where we can be confident that security is taken appropriately seriously UPSTREAM. Web servers are too easy a target for us to be distributing software we can't be confident about. Thoughts, comments, other (constructive) feedback? Best regards, Stu -- Stuart Herbert [EMAIL PROTECTED] Gentoo Developer http://www.gentoo.org/ http://stu.gnqs.org/diary/ GnuGP key id# F9AFC57C available from http://pgp.mit.edu Key fingerprint = 31FB 50D4 1F88 E227 F319 C549 0C2F 80BA F9AF C57C --
signature.asc
Description: This is a digitally signed message part