New Package Security Review

Owned by David Jorm
Last updated: Aug 11, 2015
1 min read

New packages should not be added to CloudRouter unless they have undergone a security review. New packages will be assessed against the following criteria:

  • Is the upstream actively maintained?
  • Does the upstream have a process for providing security patches and advisories?
  • Do any services provided by the package run as an appropriate unprivileged user?
  • Does CloudRouter have sufficient resources with appropriate knowledge to support security support for the package?
  • Optional: does a quick manual penetration test reveal any serious vulnerabilities?
  • If the package includes native binaries:
    • Are they all compiled from source?
    • Does the specfile include appropriate compiler hardening flags?
    • Are they appropriately segregated by architecture?

The following contributors are currently authorized to approve or reject new packages from a security perspective: David JormPaul GampeArun NeelicattuBrendan Scarvell.