clarification needed: ALC_FLR.3.6C
- Subject: clarification needed: ALC_FLR.3.6C
- From: Magosányi Árpád <email@example.com>
- Date: 08 Dec 2003 20:30:14 +0100
- Content-Transfer-Encoding: 8bit
- Content-Type: text/plain; charset=ISO-8859-2
The procedures for processing reported security flaws
shall ensure that any reported flaws are corrected and the
correction issued to TOE users.
The scope of the requirement is not adequately defined. Questions
-which version of the TOE?
-what about archaic versions?
-what about development versions?
-what about non-TOE related issues?
-incidences in the development environment
-issues of the toolchain used
-issues with software/hardware commonly used together
with the TOE, specifically "the underlying abstract machine".
The Debian GNU/Linux project does have flaw remediation procedures,
which ensure that all reported security flaws _for the released
version of Debian GNU/Linux_ are corrected, and an advisory is
issued. However the flaw remediation documentation expressly
discloses the development versions, and software related to the
TOE (contrib and non-free), which are not considered to be
part of it.
I judge that the project does fulfill the requirement.
What is your interpretation?
GNU GPL: csak tiszta forrásból
Date Index |
Thread Index |
Problems or questions? Contact firstname.lastname@example.org