OPe NDAP Development and Security Policies Development Policies
- Slides: 10
OPe. NDAP Development and Security Policies
Development Policies • All of our software uses LGPL or GPL – LGPL is used by most of the code – We want it to be easy for others to use the software – We don’t care if they make money from it – GPL is more appropriate for end products like user interfaces
Participating in Development • All are welcome • Source code is available for read to anyone • Write access is limited to a small number of people – Patches - easier for most people because… – SVN write comes with some strings attached • Writers must take care to ‘do no harm’ • But we know people are not perfect
SVN for source code control Trac for management • Trac is fairly tightly coupled to SVN • Trac provides milestones and ‘tickets’ • Tickets are used for features, bugs as well as tasks – That is, it is used for both software issues and group management issues • Other Trac features: – Wiki for design documents and plans – Roadmap for lists of milestones – SVN browse
Developer’s Wiki • We run a Wiki for developers - separate from the Trac Wiki – It uses TWiki • It serves as a scratchpad for ideas • A place to refine ideas before making more formal versions (e. g. , we worte the DAP spec there first before preparing a version in Late. X for NASA)
Two Wiki’s are not enough… • We are moving all of our documentation to a Media. Wiki – Both Programmer documentation – And User documentation • We used to use La. Te. X for all of our docs and it was easy to make both PDF and HTML versions from the La. Te. X sources • The Wiki based docs will be much easier for most people to edit
Nightly builds • We run nightly builds on several machines • There is a web service system we use to collect the results of those builds and the logs they generate • The results of the builds are available from Trac - take a look now (scm. opendap. org: 8090/trac) • The builds are building code from svn using a fresh checkout. • We have a svn project which is used to stage a new nightly build
Who can get write access? • Anyone who asks can get write access to our Wikis (Developers and Docs) • Trac access is more restricted, but we are not too worried about giving out access • Both Trac and SVN are database systems and both are backed up every night • Nightly builds are limited to specific IP addresses
Development Security Policies • Source code review using an expert system • Use US Cert guidelines • When is source code ready for release? – All changes must be examined by the expert system – And by a designated ‘Security Officer’ – In addition to the original author
Security Release notes • In addition to the regular release notes • These notes will detail fixes and known issues • They will be encrypted and available to security personnel at sites running our code • To receive these notes you must provide us with your public key - we will used GPG to encrypt the notes
