Re: Security testing: need for a security policy, and a security-critical package process

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 30, 2009 at 22:40, Hal Murray <hmurray@xxxxxxxxxxxxxxx> wrote:

gene@xxxxxxxxx said:
...
> A written description of the security policy is a must!
...

Is the idea of a single one-size-fits-all security policy reasonable?  I
think Fedora has a broad range of users.

Probably not but there are some basics that should be implemented for everyone.

Security is a tradeoff.  If you make it impossible for the bad guys to get
in, the good guys probably can't get any work done.  How secure do you need
to be?  How much are you willing to pay for it?

How much are you willing to pay to clean up the aftermath?
 

I'd much rather have an overview document that explains the likely attacks
and potential solutions, and their costs and benefits.  Additionally, I think
it's much easier to follow a policy if I understand the reasonaing behind it.

The Fedora Security Guide (found at docs.fedoraproject.org and in a friendly repo near you) started out that way and has blossomed into that and a whole lot more.  As always suggestions and patches are welcome.


I think sample policy documents with descriptions of their target audience
and checklists for how to implement them would be helpful.

+1


--Eric

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux