Hi list, I was thinking about the Debian/OpenSSL debacle. Clearly it not easy to manage a hard meticulous QA process in all packages. In the other hand, there are packages more critical than others, which are more delicate to security. Sometimes, those packages have different priorities in the policy meaning. Maybe we can implement this as an Optional header in the control. The point is: if we can create critical QA category for delicate packages in the security sense we can have mandatory QA requirement. For example: - It should be checked with debugging tools (like valgrind :P) - It should maintained by a team - It should a public VCS - Its patches should be sign-off by reviewers (Raphael Hertzog (hertzog@) proposed something like this)
You can extend or reduce this list. We can discuss about the implementation. But I mainly want to know your opinion. Please, paste the URL if you discussed this in the pass. luciano
signature.asc
Description: This is a digitally signed message part.