[gnessus-discuss] Contributions (fwd)

Robert Berkowitz robert.berkowitz at gmail.com
Wed Nov 2 17:53:42 CET 2005


I dont think we should publish anything that we deem to be of poor
quality. We should publish guidelines for submissions to follow though
and anyone may then submit plugins. If the submission does not meet
the guidelines then it is rejected until fixed. If it passes the
guidelines it should go to one of our testers for verification. If it
then passes testing it will be commited to the "release quality"
plugin list.

There are many ways to break out the "quality" plugins from general
submissions. One way is to perhaps have three groups. One for alpha
plugins. These would be submissions that pass the initial guidelines
and that is all. Next, beta plugins. These have been acccepted for
testing. Finally, GA plugins. These would be the plugins that have
passed all internal QA tests and are "certified".

Like I said before we should look at other projects, like bleeding
snort, to model our structure around. Model, not duplicate de-facto.
There is always room for improvement.

Hopefully that clears up what I was thinking in my previous message :)

Robert

On 11/2/05, Jason <security at brvenik.com> wrote:
>
> Being an aggregation point for plugins is ok but adopting the we accept
> and publish anything mantra will negatively affect the ultimate quality
> of the project. Bleeding rules for snort are often very poor quality,
> lack documentation, have rudimentary testing, and are ultimately
> irresponsible in that they lead people to believe they have coverage for
> something they often do not.
>
> If the project is to accept plugins from anyone without regard to
> quality or effectiveness then there need to be a rating system behind it
> so that people can understand the scope of the plugin and the
> reliability it affords. Quality is more important than having X
> capability for Y which may only impact a small subset of the population
> and negatively affect the system overall.
>




More information about the Openvas-discuss mailing list