From 209542acc6b9209dd37e15f40bce103613467bef Mon Sep 17 00:00:00 2001 From: Ian Grigg Date: Wed, 4 Mar 2009 21:51:20 +0000 Subject: [PATCH] review of section 7 git-svn-id: http://svn.cacert.org/CAcert/Policies@1194 14b1bab8-4ef6-0310-b690-991c95c89dfd --- SecurityPolicy.html | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/SecurityPolicy.html b/SecurityPolicy.html index 0b38808..11cf53f 100644 --- a/SecurityPolicy.html +++ b/SecurityPolicy.html @@ -801,13 +801,13 @@ Additions to the team are approved by Board The primary tasks are:

  1. - Keep the code secure, + Keep the code secure in its operation,
  2. Fix security bugs, including incidents,
  3. Audit, Verify and sign-off proposed patches,
  4. - Assist Systems Administration team in inserting patches, + Guide Systems Administration team in inserting patches,
  5. Provide guidance for architecture,
@@ -821,25 +821,21 @@ In principle, anyone can submit code changes for approval.

7.3. Repository

-The application code and patches are maintained in a -central version control system by the +The application code and patches are maintained +in a central repository that is run by the software development team.

-

-The integrity of the central version control system -is crucial for the integrity of the applications running -on the critical systems. -

-

7.4. Review

-Patches are signed off by the team leader +At the minimum, +patches are signed off by the team leader or his designated reviewer. Each software change should be reviewed by a person other than the author. -Author and sign-off must be logged. +Author and signers-off must be logged. +The riskier the source is, the more reviews have to be done.

7.5. Test and Bugs

@@ -853,9 +849,10 @@ Test status of each patch must be logged.

Software Development team maintains a bug system. Primary communications should go through this system. -Access should be granted to all software developers, -systems administrators, and patch contributors. -Access may be granted to other Members. +Management access should be granted to all software developers, +and systems administrators. +Bug submission access should be provided to +any Member that requests it.

7.6. Handover