Re: Security testing: need for a security policy, and a security-critical package process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2009-11-23 at 18:16 -0600, Chris Adams wrote:
> Once upon a time, Adam Williamson <awilliam@xxxxxxxxxx> said:
> > It's not QA's role to define exactly what the security policy should
> > look like or what it should cover, but from the point of view of
> > testing, what we really need are concrete requirements. The policy does
> > not have to be immediately comprehensive - try and cover every possible
> > security-related issue - to be valuable. Something as simple as spot's
> > proposed list of things an unprivileged user must not be able to do -
> > http://spot.livejournal.com/312216.html - would serve a valuable purpose
> > here.
> 
> IMHO that's a backwards way of approaching security.  You will never be
> able to define everything somebody should _not_ be able to do.  You
> should always take the approach of defining what somebody _should_ be
> able to do.

But think from a QA perspective. However the policy is phrased, we have
to test the negatives. If we just tested that all the 'could' things on
the list were OK, we would happily approve a release that gave everyone
root privileges. After all, everyone would be able to do all the things
they were supposed to do. it'd be a 100% pass. =)

-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux