CII-badges@lists.coreinfrastructure.org | Should release_notes_vulns be relaxed from MUST to SHOULD?

Home Messages Hashtags Subgroups

Topics

Date Date 1 - 1 of 1

Should release_notes_vulns be relaxed from MUST to SHOULD?

Wang Anyu #389 Thanks David! Based on our security practices, I suggested some criteria (#683 ~ #692) which mainly focused on crypto algorithm, secure delivery and code quality. Please post comments, suggestions on these issues: https://github.com/linuxfoundation/cii-best-practices-badge/issues/683 https://github.com/linuxfoundation/cii-best-practices-badge/issues/684 https://github.com/linuxfoundation/cii-best-practices-badge/issues/685 https://github.com/linuxfoundation/cii-best-practices-badge/issues/686 https://github.com/linuxfoundation/cii-best-practices-badge/issues/687 https://github.com/linuxfoundation/cii-best-practices-badge/issues/688 https://github.com/linuxfoundation/cii-best-practices-badge/issues/689 https://github.com/linuxfoundation/cii-best-practices-badge/issues/690 https://github.com/linuxfoundation/cii-best-practices-badge/issues/691 https://github.com/linuxfoundation/cii-best-practices-badge/issues/692 Thanks a lot! Wang Anyu (Andrew) 发件人: cii-badges-bounces@... [mailto:cii-badges-bounces@...] 代表 Wheeler, David A 发送时间: 2017年3月12日 8:20 收件人: cii-badges@... 主题: [CII-badges] Should release_notes_vulns be relaxed from MUST to SHOULD? All: Issue #674 proposes to slightly relax the passing criterion “release_notes_vulns”, which currently says: > “The release notes MUST identify every publicly known vulnerability that is fixed in each new release". Details here: > https://github.com/linuxfoundation/cii-best-practices-badge/issues/674 I think this is a different situation from the sites_https criterion, which required “The project sites (website, repository, and download URLs) MUST support HTTPS using TLS.” We’ve received many requests to relax the sites_https criterion, and have not done so, even though there are a number of projects that didn’t meet it. But that was fundamentally different. People generally *did* agree that projects should be using HTTPS, even if they weren’t. In contrast, the proposers are arguing that there are reasonable reasons to not do this. This suggests that perhaps the criterion should be changed to a SHOULD instead of MUST (this would require them to provide a reason). If you have comments, please post them on the issue: https://github.com/linuxfoundation/cii-best-practices-badge/issues/674 We’ve also received a number of suggestions from Wang Anyu, which are posted on GitHub as issues. I welcome anyone to comment on them, and I thank Wang Anyu for his thoughtful contributions. Thanks!! --- David A. Wheeler
More All Messages By This Member

1 - 1 of 1

1

Previous Topic Next Topic

Home Messages Hashtags Subgroups Terms