Re: scan debian packages for security vulnerabilitys big time
* Robert van der Meulen (rvdm@cistron.nl) [001106 10:46]:
> It might be a better idea to set up a small group of people, who start
> auditing packages (starting with 'base'), and who monitor patches for
> 'security critical' packages (like the daemons, suids,etc).
> I know this is far from complete/what you want, but asking every maintainer
> to audit their upstream source is maybe a bit too big a thing.
You are right. All the way.
a) we can not force anyone to be security aware
b) it would be good it audits happened.
c) it is a lot of work
> > For now, I packaged his non-free software (called 'Its The Software,
> > stupid', short: its4.) and would like to try to integrate it into the
> > debian development process.
> Bad Thing. Automated security scanners give a false sense of security, and
> only hint about possible bugs/mistakes.
not that bad it you take it with a grain of salt. some funktions are definitly
evil, you do not want to use them. Even gcc warns when some are used.
So it could make sense to replace evil code with saver equivalents.
> Everyone audits their code in a different way - some use grep, some use
> its4, and some put their c source trough the preprocessor and read it.
no, most people do not do it in the first place. As I wrote, it could be a way
to motivate them.
The real problem is the work and time which this takes. there is no real
automated audit (yet), but we would need it for our amounts of source.
But the importent thing is to not stop there and say: it is to much, it can't
be done! but to do what you can do. Sure this will not become a security
fanatic distribution. But in the Linux community there is not enough awareness
about security and people run nessus against their system an belief it is
secure, because 'it did not find known vulnerabilitys'. The known ones are not
the problem, but the unknown ones.
> Only a (mass?) auditing project would help keeping our code clean.
yes.
Reply to: