libreplanet-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libreplanet-discuss] 7 Reasons to Avoid Open Source?

From: Thomas Harding
Subject: Re: [libreplanet-discuss] 7 Reasons to Avoid Open Source?
Date: Tue, 05 Dec 2017 00:59:28 +0100 
Le 4 décembre 2017 20:02:41 GMT+01:00, Chad Larson 
<BPYZs1fx@mailtoo.hungrycats.org> a écrit :
>On Mon, Dec 04, 2017 at 09:06:10AM -0600, Caleb Herbert wrote:
>> On Sun, 2017-12-03 at 21:12 -0500, Chad Larson wrote:
[...]
>> > that the code implements the requirements correctly
>for each
>> > product that uses the code.  Industrial regulations require
>traceability
>> > to determine which individual personally made which implementation
>> > decisions and which individual tested and verified the results.
>> 
>> Sounds like they want better documentation.  Ask Red Hat.
>
>That seems like an odd request, given that Red Hat's history of
>certified
>products is limited to enterprise software running on x86_64 hosts,
>not embedded systems.  Red Hat has some products rated at EAL4, but the
>traceability requirements for EAL4 are fairly weak compared to other
>industry standards (or even EAL6).  The other certifications they have
>seem to have even weaker requirements (but I haven't fully reviewed
>them all).

Common Criteria EAL evalation is out of vendors scope, especially regarding 
operating systems :

EAL evaluation is conduced through a defined environment on a specific usage 
where a defined and reproductible setup has been done on the tested system.

Moreover, enlisted laboratories are so rare and expensive that a vendor will 
never afford.

If I remain correctly, tests/certification processes were afforded on some 
RedHat and SUSE setups by German defence.

In any way: asking for vendor to afford for CC / EAL testing and certification 
does not make sense.

(While traceability and automated tests would help, and CC requirements to EALn 
includes controlled development process -- from start -- as claimed earlier in 
thread)

>I  know of any free-software projects currently offering a
>complete
>traceability data set.  I know of only two open-source projects
>(FreeRTOS
>and OpenSafety) which offer traceability data at all--but in both cases
>the data is only available under a separate non-free license.


>
>A warranty is necessary but not sufficient.  If a project is demanding
>traceability, they expect more from their ll 


-- 
Je suis née pour partager, non la haine, mais l'amour.
         Sophocle, Antigone, 442 av. J.C.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]