From 44c55484766a4925753bd098cedfa7a5e7c20aff Mon Sep 17 00:00:00 2001 From: martinscheffler Date: Tue, 26 May 2020 09:05:20 +0200 Subject: [PATCH] Add user story for reproducible builds Please support some way to check that the app was compiled from github sources. See telegram reproducible builds for inspiration: https://core.telegram.org/reproducible-builds --- scoping_document.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scoping_document.md b/scoping_document.md index f92631e..7cd60d9 100644 --- a/scoping_document.md +++ b/scoping_document.md @@ -179,3 +179,8 @@ The corresponding acceptance criteria supplement the specification of the requir | # of user story ID | User story | Acceptance criteria | |-----------------|------------|--------------------| | E10.01 | As the RKI, I want to manage the app content centrally, so that I can update texts, links, hotlines, and so on once for all the places in the app. | 1. Content management will be carried out based on RKI requirements.
2. Content will be differentiated by static and dynamic content, in line with technical feasibility.
3. In the initial version, updates will be performed through an app update. | + +### App Security +| # of user story ID | User story | Acceptance criteria | +|-----------------|------------|--------------------| +| E11.01 | As a user of the app, I want to be able to verify that the app I downloaded from a public repository was compiled from publicly available source code and that no additional, security critical code was added or changed. | 1. The build version of the app can be retrieved from the running app. 2. There is a way to obtain a full build environment for building the app for each available platform. 3. Users can use that environment to build the app as it is published to the app stores. 4. The public app and the app built by the customer can be checked for identity with existing tools. |