Hi,

As mentioned earlier, I had some questions / queries regarding the
requirements for the proposed packages. Sending them here for
discussion.

Kento Yoshida <kento.yoshida.wz@renesas.com> writes:

Requirements_for_proposal_SecurityWG_rev03.xlsx: the same file which I've already sent before to explain the requirement in the standard

* sudo-ldap

Is there a specific requirement to include sudo-ldap in favour of plain
sudo? IIUC, sudo is a minimal dependency version while ldap requires
additional packages to be available.


* openssh

Based on the listed requierments, it is not clear why ftp and ssh
clients are needed. Can you please clarify the requirements' text to
motivate inclusion of the client binaries as well.


* pam-pkcs11

From my understanding, the package enables login using public / private
keys. But the requirements talk about enforcing the strength of
passwords -

"A minimum strength of used passwords needs to be enforced."

Possibly a mixup of package and requirements?


* tpm2*

I think libtss2-esys0 is mistakenly included as explicit requirement. It
seems to be a dependency of tpm2-abrmd and will get pulled in
automatically as per my understanding.


* uuid-runtime

It’s not clear how the package is related to the requirement -

"Account Identifier shall be unique on a component or system wide
level. Protection of relevant information in rest and transit shall
be supported."

Can you add more details to the requirement to clarify this?
---


Thanks,
Punit