No tag for version 1.3 and control of Technical Decisions

[amasino]

Version 1.3 of the Application Software Protection Profile is published, but there is no tag created for that version. I assume that the approach is to leave a floating version (master) but it would be useful to have a tag, as lastest version may have technical decisions applied. Also, it would be useful to have a tag for each group of TDs incorporated.

[zsmi]

Tag for version 1.3 has been created. There are a number of things could be done better with the development of PP's and tracking in git. If we used branches this would be a lot easier to do but I haven't had much luck convincing people we need this.

[amasino]

One of the use cases for which the current CM system may not work well is the following: a CC evaluation project based on a Protection Profile that, having several TDs already applied, cannot accept further TDs because of the progress in the project (testing finished). At that point, the project cannot use the latest version of the document, just a subset of the TDs applied. If the CM system has tags for the groups of TDs applied at a certain point of time, or if the grammar allows modification tags for TDs (e.g. like change marks), then the end user may select the level of update of the PP to certain TD. I think this is pretty common in projects, and it would be certainly beneficial for evaluation facilities to have such flexibility in all PPs.

[zsmi]

I'm in agreement that this would be nice to do. It would involve having everyone in agreement that is developing protection profiles. Implementing this means changes to the build system and how individuals develop protection profiles and as a result this should be pitched to everyone before we make any changes.

As of right now Evaluation labs are supposed to use the PP as listed on NIAP's website and use the list of TD's on the specific Protection Profile's page. They're not supposed to be using the version on github or https://commoncriteria.github.io/. There were talks at one point on methods to make it easier for test labs to have the TDs rolled into their PPs but I'm not sure what ever came out of that.