Should release_notes_vulns be relaxed from MUST to SHOULD?

Wang Anyu

Thanks David!


Based on our security practices, I suggested some criteria (#683 ~ #692) which mainly focused on crypto algorithm, secure delivery and code quality.

Please post comments, suggestions on these issues:


Thanks a lot!


Wang Anyu (Andrew)



发件人: cii-badges-bounces@... [mailto:cii-badges-bounces@...] 代表 Wheeler, David A
发送时间: 2017312 8:20
收件人: cii-badges@...
主题: [CII-badges] Should release_notes_vulns be relaxed from MUST to SHOULD?


All:  Issue #674 proposes to slightly relax the passing criterion “release_notes_vulns”, which currently says:

> “The release notes MUST identify every publicly known vulnerability that is fixed in each new release".


Details here:



I think this is a different situation from the sites_https criterion, which required “The project sites (website, repository, and download URLs) MUST support HTTPS using TLS.”  We’ve received many requests to relax the sites_https criterion, and have not done so, even though there are a number of projects that didn’t meet it.  But that was fundamentally different.  People generally *did* agree that projects should be using HTTPS, even if they weren’t.


In contrast, the proposers are arguing that there are reasonable reasons to not do this.  This suggests that perhaps the criterion should be changed to a SHOULD instead of MUST (this would require them to provide a reason).


If you have comments, please post them on the issue:


We’ve also received a number of suggestions from Wang Anyu, which are posted on GitHub as issues.  I welcome anyone to comment on them, and I thank Wang Anyu for his thoughtful contributions.




--- David A. Wheeler