From 209542acc6b9209dd37e15f40bce103613467bef Mon Sep 17 00:00:00 2001
From: Ian Grigg <iang@cacert.org>
Date: Wed, 4 Mar 2009 21:51:20 +0000
Subject: [PATCH] review of section 7

git-svn-id: http://svn.cacert.org/CAcert/Policies@1194 14b1bab8-4ef6-0310-b690-991c95c89dfd
---
 SecurityPolicy.html | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

diff --git a/SecurityPolicy.html b/SecurityPolicy.html
index 0b38808..11cf53f 100644
--- a/SecurityPolicy.html
+++ b/SecurityPolicy.html
@@ -801,13 +801,13 @@ Additions to the team are approved by Board
 The primary tasks are:
 </p>
 <ol><li>
-    Keep the code secure,
+    Keep the code secure in its operation,
   </li><li>
     Fix security bugs, including incidents,
   </li><li>
     Audit, Verify and sign-off proposed patches,
   </li><li>
-    Assist Systems Administration team in inserting patches,
+    Guide Systems Administration team in inserting patches,
   </li><li>
     Provide guidance for architecture,
 </li></ol>
@@ -821,25 +821,21 @@ In principle, anyone can submit code changes for approval.
 <h3> <a name="7.3"> 7.3. </a> Repository </h3>
 
 <p>
-The application code and patches are maintained in a
-central version control system by the
+The application code and patches are maintained
+in a central repository that is run by the
 software development team.
 </p>
 
-<p>
-The integrity of the central version control system
-is crucial for the integrity of the applications running
-on the critical systems.
-</p>
-
 <h3> <a name="7.4"> 7.4. </a> Review </h3>
 
 <p>
-Patches are signed off by the team leader
+At the minimum,
+patches are signed off by the team leader
 or his designated reviewer.
 Each software change should be reviewed
 by a person other than the author.
-Author and sign-off must be logged.
+Author and signers-off must be logged.
+The riskier the source is, the more reviews have to be done.
 </p>
 
 <h3> <a name="7.5"> 7.5. </a> Test and Bugs </h3>
@@ -853,9 +849,10 @@ Test status of each patch must be logged.
 <p>
 Software Development team maintains a bug system.
 Primary communications should go through this system.
-Access should be granted to all software developers,
-systems administrators, and patch contributors.
-Access may be granted to other Members.
+Management access should be granted to all software developers,
+and systems administrators.
+Bug submission access should be provided to
+any Member that requests it.
 </p>
 
 <h3> <a name="7.6"> 7.6. </a> Handover </h3>