Auditing
Contents |
Introduction
The SecurityTeam is sometimes asked to perform source code auditing, typically during the MainInclusionProcess. Due to time constraints, only a high-level audit is performed for Main Inclusion Reports (MIRs).
MIR Process
When a source package needs an audit from the SecurityTeam, the bug is assigned to ubuntu-security with a comment asking for the package to be reviewed.
A member of the SecurityTeam will assign the bug to him or herself and change the bug status to 'In Progress'.
When completed, the SecurityTeam member will change the bug back to 'Confirmed', unassign him or herself, and add a comment as to the results of the audit.
If the bug requires more information, the SecurityTeam member should mark the bug status as 'Incomplete', without changing who the bug is assigned to.