Should release_notes_vulns be relaxed from MUST to SHOULD?
David A. Wheeler
All: Issue #674 proposes to slightly relax the passing criterion “release_notes_vulns”, which currently says:
> “The release notes MUST identify every publicly known vulnerability that is fixed in each new release".
I think this is a different situation from the sites_https criterion, which required “The project sites (website, repository, and download URLs) MUST support HTTPS using TLS.” We’ve received many requests to relax the sites_https criterion, and have not done so, even though there are a number of projects that didn’t meet it. But that was fundamentally different. People generally *did* agree that projects should be using HTTPS, even if they weren’t.
In contrast, the proposers are arguing that there are reasonable reasons to not do this. This suggests that perhaps the criterion should be changed to a SHOULD instead of MUST (this would require them to provide a reason).
If you have comments, please post them on the issue:
We’ve also received a number of suggestions from Wang Anyu, which are posted on GitHub as issues. I welcome anyone to comment on them, and I thank Wang Anyu for his thoughtful contributions.
--- David A. Wheeler
On Sat, 11 Mar 2017 19:19:34 -0500
"Wheeler, David A" <firstname.lastname@example.org> wrote:
All: Issue #674 proposes to slightly relax the passing criterionI don't really feel this should be weakened in any way.
I think this makes a very important point: Projects should be
transparent about the vulnerabilities they fix and not try to hide them.
Reading the bug report it sounds to me a bit like "The linux kernel
doesn't do it, so it shouldn't be required". Heck, it's a bad thing
that the linux kernel doesn't do it!