Re: [Trac] validation in a regulatory environment
56 views
Skip to first unread message
Steffen Hoffmann
Sep 7, 2012, 4:48:15 PM9/7/12
to trac-...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07.09.2012 17:25, jules wrote:
> Hi folks,
>
>
> I was wondering if there was any group out there that has validated trac
>
> for use in a regulated environment? My company has been using trac for the
>
> last few years for defect tracking workflow, but we're applying to be a
>
> class 1 medical device and have to validate all of our internal software.
>
> Just wondering if anyone out there has done it or did they have to migrate
>
> their ticketing system to something else.
Interesting questions. But bear in mind, that few of us may even know
details of terms like "class 1 medical device". To fill into this gap I
provide results of a quick research of mine [1][2]. I know, this is
partly advertising for that companies product(s), but don't mind since
I'm not at all affiliated with them.
Now that I've found some key requirements I can assure you, that you'll
probably meet most of them with Trac, if you have a suitable ticket
work-flow and restrictive user permissions setup. I'd even vote to go
for new horizons with known-good tools, that your staff is familiar with.
Your company may by an FDA verified toolbox at any time. But will your
critical business knowledge migrate into it automatically? We all know
the answer: Consultants. Don't get me wrong, Some may be pretty much
worth the money, but I hate doing the ground work, being told how to do
different, and finally taking responsibility and work to fix stuff
because of decisions I wasn't heard or even asked about. If you're
clueless, take that route, but if you know a bit, don't let them make
you look like a fool. /rant finished
The most critical part from my point of view is the digital signature
thing. I'm sorry, there's no native Trac solution for that right now,
but I suggest keeping an eye on CryptoPlugin [3]. (Disclosure: I'm the
author.)
This is currently WiP, but I've envisioned requirements like these
mentioned to be checked by FDA, so probably I'll address most of them,
later on. I'm testing wiki pages signed with strong crypto algorithms
(not published yet), and will extend this to attachments and tickets
too, as I progress.
Encryption is planned as well - think of restricted content, but not by
means of rather weak permission checks, that will disclose information,
if the plugin is deactivated or just dysfunctional[4], but using
industry grade crypto again. So in worst case you'll see just garbage,
but only using your OpenPGP key you'll be able to retrieve the content
after encryption.
I'd welcome detailed specs and requirements to be able to address them
as my time permits. Bear in mind, that I won't be able to do any
software validation other than adding unit tests to prove fitness for
the/your/any application. This would be left to you or to your companies
partners.
I put faith in Trac for my own Trac applications. If you already trust
in Trac, you could share my vision, and it may be worth to try making it
a TrustedTrac [5].
Sincerely,
Steffen Hoffmann
[1]
http://www.arenasolutions.com/resources/articles/medical-device-development
[2] http://www.arenasolutions.com/resources/articles/21cfrpart11-compliance
[3] http://trac-hacks.org/wiki/CryptoPlugin
[4] http://trac-hacks.org/ticket/5784
[5] http://trac.edgewall.org/wiki/TracDev/TrustedTrac
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlBKXYsACgkQ31DJeiZFuHeLWgCgykW5WAaF6uI9aSHM7R4uPhKZ
23AAoIuBHHyJnw2mwqEdiV00npEYIFU2
=LXPO
-----END PGP SIGNATURE-----
Hash: SHA1
On 07.09.2012 17:25, jules wrote:
> Hi folks,
>
>
> I was wondering if there was any group out there that has validated trac
>
> for use in a regulated environment? My company has been using trac for the
>
> last few years for defect tracking workflow, but we're applying to be a
>
> class 1 medical device and have to validate all of our internal software.
>
> Just wondering if anyone out there has done it or did they have to migrate
>
> their ticketing system to something else.
Interesting questions. But bear in mind, that few of us may even know
details of terms like "class 1 medical device". To fill into this gap I
provide results of a quick research of mine [1][2]. I know, this is
partly advertising for that companies product(s), but don't mind since
I'm not at all affiliated with them.
Now that I've found some key requirements I can assure you, that you'll
probably meet most of them with Trac, if you have a suitable ticket
work-flow and restrictive user permissions setup. I'd even vote to go
for new horizons with known-good tools, that your staff is familiar with.
Your company may by an FDA verified toolbox at any time. But will your
critical business knowledge migrate into it automatically? We all know
the answer: Consultants. Don't get me wrong, Some may be pretty much
worth the money, but I hate doing the ground work, being told how to do
different, and finally taking responsibility and work to fix stuff
because of decisions I wasn't heard or even asked about. If you're
clueless, take that route, but if you know a bit, don't let them make
you look like a fool. /rant finished
The most critical part from my point of view is the digital signature
thing. I'm sorry, there's no native Trac solution for that right now,
but I suggest keeping an eye on CryptoPlugin [3]. (Disclosure: I'm the
author.)
This is currently WiP, but I've envisioned requirements like these
mentioned to be checked by FDA, so probably I'll address most of them,
later on. I'm testing wiki pages signed with strong crypto algorithms
(not published yet), and will extend this to attachments and tickets
too, as I progress.
Encryption is planned as well - think of restricted content, but not by
means of rather weak permission checks, that will disclose information,
if the plugin is deactivated or just dysfunctional[4], but using
industry grade crypto again. So in worst case you'll see just garbage,
but only using your OpenPGP key you'll be able to retrieve the content
after encryption.
I'd welcome detailed specs and requirements to be able to address them
as my time permits. Bear in mind, that I won't be able to do any
software validation other than adding unit tests to prove fitness for
the/your/any application. This would be left to you or to your companies
partners.
I put faith in Trac for my own Trac applications. If you already trust
in Trac, you could share my vision, and it may be worth to try making it
a TrustedTrac [5].
Sincerely,
Steffen Hoffmann
[1]
http://www.arenasolutions.com/resources/articles/medical-device-development
[2] http://www.arenasolutions.com/resources/articles/21cfrpart11-compliance
[3] http://trac-hacks.org/wiki/CryptoPlugin
[4] http://trac-hacks.org/ticket/5784
[5] http://trac.edgewall.org/wiki/TracDev/TrustedTrac
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlBKXYsACgkQ31DJeiZFuHeLWgCgykW5WAaF6uI9aSHM7R4uPhKZ
23AAoIuBHHyJnw2mwqEdiV00npEYIFU2
=LXPO
-----END PGP SIGNATURE-----
jules
Sep 11, 2012, 11:15:43 AM9/11/12
to trac-...@googlegroups.com
Thanks Steffan,
Most of the other stuff is writing up a set of requirements and paperwork on the trac system we already have installed. We know that part. Trac does everything we want it to do right now except the encryption and signing electronically.
The biggest sticking point for us is going to be the use of electronic signatures. We will need it if we plan on using trac as a sign off tool. Is anyone working on such a module for trac?
Regards,
J
jules
Sep 11, 2012, 11:21:06 AM9/11/12
to trac-...@googlegroups.com
Ah sorry, I missed your bit about the CryptoPlugin. I am looking at it now....
On Friday, September 7, 2012 4:48:25 PM UTC-4, hasienda wrote:
On Friday, September 7, 2012 4:48:25 PM UTC-4, hasienda wrote:
Steffen Hoffmann
Sep 11, 2012, 2:12:45 PM9/11/12
to trac-...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
On 11.09.2012 17:15, jules wrote:
> Thanks Steffan,
>
> Most of the other stuff is writing up a set of requirements and
> paperwork on the trac system we already have installed. We know that
> part. Trac does everything we want it to do right now except the
> encryption and signing electronically.
I hoped to hear something like this.
> Thanks Steffan,
>
> Most of the other stuff is writing up a set of requirements and
> paperwork on the trac system we already have installed. We know that
> part. Trac does everything we want it to do right now except the
> encryption and signing electronically.
> The biggest sticking point for us is going to be the use of electronic
> signatures. We will need it if we plan on using trac as a sign off
> tool.
recently. This is a FireFox extension to use crypto functions everywhere
on the web, what is certainly useful for web mail services. So why not
for wiki too? Only drawback: According to a blog post [1] the original
author dropped development about 2 years ago.
Anyway, it would be awesome to get you as an early adopter of
CryptoPlugin for Trac. At least I'm not the only one to see value in
such a development.
If you already looked at the current state of the code, you'll have
noticed, that there's not much useful in it yet. This is mostly due to a
pending decision on the database schema [2], about that I hoped to get
some feedback from Trac core developers, but I failed to get any
thoughts by now.
Still I hope to come close to an initial release before this years end.
If it would be absolutely critical for decision making, please drop me a
line. My private snapshots of own upstream development are much ahead
and may already prove my claim for CryptoPlugin, that it'll become an
industrial grade embedded OpenPGP solution for Trac - even the first
wiki crypto appliance I'm aware of.
Steffen Hoffmann
[1] http://blog.getfiregpg.org/2010/06/07/firegpg-discontinued/
[2]
https://groups.google.com/forum/?fromgroups=#!topic/trac-dev/X1jkUiX0Fyw
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlBPfxkACgkQ31DJeiZFuHc3QwCgpRYr4Zi/f25Ab+MAJJ5pn2HX
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
CpkAoMbNi55cC1q3FMfREgRVLKZ0gaya
=5ftq
-----END PGP SIGNATURE-----
RjOllos
Oct 1, 2012, 4:02:16 PM10/1/12
to trac-...@googlegroups.com
On Tuesday, September 11, 2012 8:15:43 AM UTC-7, jules wrote:
Most of the other stuff is writing up a set of requirements and paperwork on the trac system we already have installed. We know that part. Trac does everything we want it to do right now except the encryption and signing electronically.The biggest sticking point for us is going to be the use of electronic signatures. We will need it if we plan on using trac as a sign off tool. Is anyone working on such a module for trac?Regards,J
I'm also working on a class 1 medical device and managing a Trac instance. I'd be interested in talking with you more about this on IRC (username: rjollos) or gchat (rjollos @t gmail dot com) or email. Please ping me if you are interested in discussing.
Reply all
Reply to author
Forward
0 new messages