Tuesday, April 1, 2003

Earlier, I sent out this:
As everyone recalls from the last employee meeting, one
of our goals this year is to announce ISO 9001 certification
status by DAC '03. I'm pleased to announce that we're now in
the final stages of implementing our ISO 9001 procedures.

Since the ISO 9001 team has been getting a number of questions
on how this will affect our work, I've put together a brief FAQ:

1. Why are we attempting this?

A number of customers have been asking for ISO 9001 certified
software; traceability (the effects of a change) is greatly
enhanced when software development follows the ISO 9001 flow.

The EDA industry has been horribly lax at achieving this level
of certification. Neolinear plans on being the first significant
EDA company to announce that it has achieved ISO 9001
certification, thus removing a significant roadblock to customer
adoption.


2. How will this affect developers?

As stated, ISO 9001 is all about traceability. We have automated
tools (currently in beta testing before rollout) which will allow
us to monitor the effects of each commit made to our code bases.

This will require some cooperation on the part of the developers.
Starting next month, all commit comments must be formatted in the
Traceability XML format. It takes some getting used to, but
eventually becomes quite readable even without the traceability
tools. An example is:


">http://www.w3c.org/traceability-1.0.dtd">
">http://www.w3c.org/traceability/schema">









This is a sample commit comment.







In recent years, security has also become a significant issue. All
such commits must be PGP signed (we have installed the Gnu PGP tools
in /opt/tools/gnupg-1.2.1 for your convenicence).


3. Does this only affect developers?

Of course not! ISO 9001 is a company-wide initiative. As you may
recall, the last few years have seen a rise in forging of company
press releases to manipulate stock prices. We will be implementing
the PGP signing of all communications outside the company. IT has
configured the SpamAssassin software to drop all incoming messages
that are not PGP-signed.

Software evaluations will also follow a rigorous ISO 9001 process.
During the evaluation process, we usually see a number of NeoCell
technology files and/or NeoCircuit device files undergo a number of
tweaks. These changes will all be documented according to the above
format; AEs and Sales will be trained during the week before DAC.

ISO 9001 recommends (but doesn't require) that all file formats be
stored in the easily-parsed XML format. The DAC timeframe is too
short for us to migrate; however, we will be migrating our file
formats to XML for NeoCell 4.0 and NeoCircuit 3.0.


4. I have a comment/suggestion about the process.

Great! The Neolinear ISO 9001 team is eager to hear how the process
can be improved. Drop us an e-mail at fool@neolinear.com.




I just now got this:

This message bounced when I tried fool@neolinear.com:

================================
[Name withheld]
Neolinear, Inc.
4801 South Lakeshore Drive, Suite 201
Tempe AZ 85283
[Phone number withheld]

How much of a guarantee is a pgp signature on a software change, considering
that our internal network is hardly secure, with passwords being sent cleartext
all the time?



================================
[Name withheld]
Neolinear, Inc.
4801 South Lakeshore Drive, Suite 201
Tempe AZ 85283
[Phone number withheld]



To which I sent:

[Name],

The security algorithm employed is very time-sensitive. Thus, spoofing
such a commit message wouldn't work if, say, I signed it on *April 1st*
and used a one-time pad with an MD-5 digest tachyon.

Dave

No comments: