Russ Allbery <[email protected]> writes: >This is a bit of an "ask the Lazyweb" question since I have done only minimal >research, but is there any way for me to declare, as the software maintainer, >what I consider to be the security boundaries of the software in a way that >can be at least partially machine-readable?
Even before getting into that, how do you document that people shouldn't do certain things with their config files, or by extension which bits are inside and outside the security boundary? "If an unauthorised party can modify your config files then bad things can happen" seems redundant, "We take no responsibility for what happens if you fail to take unspecified steps to secure your config files" might be correct but will be perceived as blame-the- victim... how do you document this for users? Peter.
