On Saturday 06 December 2008 15:01:18 Callum Lerwick wrote: > On Sat, 2008-12-06 at 10:29 -0900, Jeff Spaleta wrote: > > I think CAPP certification, as I understand it, is a poor fit for the > > security needs of our default Fedora offerings, where we expect an > > active network. That could be part of the problem. CAPP certification > > certainly feels like the wrong capability to try to target in our > > default usage case. Our default usage scenario for the supported spins > > is simply not the usage that CAPP tries to handle. But it could be > > very useful for a new spin concept which targets exactly the usage > > case the CAPP speak to. > > So I guess this is what all this really comes down to: Do we care about > certification? I think the answer is yes. A lot of work goes into analyzing the software. The fact that you have a man page for each syscall is a product of our certification work. As of fedora 7 you had man pages for each syscall. Since then we have not had to do work aimed at a CAPP cert and guess what? You once again have syscalls without man pages. We go over all the code that makes any kind of decision related to access control, trusted databases, and crypto. We file and fix many bugs. Test suites are created out of this effort and the whole community has access to them. This work is done by a team of people in and outside of Red Hat with a like-minded goal of giving Linux the ability to be certified. As a result, Fedora is the ONLY community distribution that actually meets certification requirements. OpenSuse might be close for CAPP, but not LSPP/RSBAC, but that would be the only one I can think of that might be getting close. Do you like the way that IPv6 works in Fedora? That was done by working on a certification. Do you like crypto that works? We are currently doing that certification. Would you like to see virtualization with strong guarantees of vm separation...guess what?...another certification effort. These are what enable Linux to be used confidently knowing that it will interoperate or follow industry guidelines. > Hey, Steve Grubb, are you the shadow-utils maintainer? No, but he's on my team. > Whoever the shadow-utils maintainer(s) is/are, do you want to agree to put > this up to a FESCo vote? That depends on what we are voting on. -Steve -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list