5.1.1.4 Process to record and react to the availability of new security updates based on a risk-benefit assessment

From CLOCKSS Trusted Digital Repository Documents
Revision as of 03:36, 8 October 2013 by Dshr (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

5.1.1.4 - The repository shall have a process to record and react to the availability of new security updates based on a risk-benefit assessment.

Each CLOCKSS box's operating system is maintained current with the CentOS repositories. The LOCKSS team does not believe that it is a better position to decide whether security fixes to the operating system should be installed than the O/S support system. Some CLOCKSS boxes update automatically from these repositories within 24 hours, some require administrator intervention. This mitigates the risk that an erroneous update from CentOS would impact all CLOCKSS boxes almost simultaneously.

The process by which security requirements for the the LOCKSS software are developed and addressed is described in LOCKSS: Software Development Process. Once a security enhancement for the LOCKSS daemon is released, all CLOCKSS boxes install it automatically within 24 hours.

Relevant Documents

  1. CLOCKSS: Box Operations
  2. CLOCKSS: Logging and Records
  3. LOCKSS: Software Development Process