Re: scan debian packages for security vulnerabilitys big time
Quoting Andreas Schuldei (andreas@schuldei.org):
> started to look for bugs on the source level. But OpenBSD achives their
> security at the price of up-to-date packages. E.g. they still use bind 4
> and an old sendmail, because it is well audited and virtually bug free. We
> want both, of cause: security and new features.
The OpenBSD team audits their base source, not the ports tree, where a _lot_
of the 'add-on' software comes from.
To compare with debian; if we do it the OpenBSD way, we'd have to audit
'base', and try to create security awareness with the people who maintain
non-'base' packages.
>1) try to raise the security awareness of the debian developers and get
> them to audit the code of their packages and perhaps even help their
> upstream authors and
This is a good thing, although i don't think this is something you can
expect from everyone. Apart from the knowledge not being there, auditing
even a single package is A Lot Of Work.
It might be a better idea to set up a small group of people, who start
auditing packages (starting with 'base'), and who monitor patches for
'security critical' packages (like the daemons, suids,etc).
I know this is far from complete/what you want, but asking every maintainer
to audit their upstream source is maybe a bit too big a thing.
> For now, I packaged his non-free software (called 'Its The Software,
> stupid', short: its4.) and would like to try to integrate it into the
> debian development process.
Bad Thing. Automated security scanners give a false sense of security, and
only hint about possible bugs/mistakes.
its4 is in fact a glorified grep, that scans for 'known dangerous
constructs'. In practice, you'll find every strcpy, strcat, etc in the
warning log, with a big 'watch out' next to it.
Everyone audits their code in a different way - some use grep, some use
its4, and some put their c source trough the preprocessor and read it.
I don't think that integrating its4 (or any other source code analyser) into
the debian build process will be of much help, except for generating lots of
extra work (and warnings).
> Now I need help and advice: At which point would it make sense to plug in
> the scanner? Who would like to sponsor the its4 package? Is this
> practicable at all? Will people ignore the warnings? What else did I
> forget?
Probably you forget that it's lots of people's hobby to run its4 against
large amounts of source code, and hope they'll find a vulnerability (and
sometimes do!).
Only a (mass?) auditing project would help keeping our code clean.
Greets,
Robert
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
Zet mij maar in een hoek, met me kop naar de muur :) -- marijnv
Reply to: