Re: setuid/setgid binaries contained in the Debian repository.
On Sat, Aug 02, 2003 at 08:58:00PM -0500, Manoj Srivastava wrote:
> Given the last review of a setgid program, I wonder if two
> people are enough.
Surely two people would be an improvement over the current situation, where
there is no review at all. Our demonstration has shown how one person can
discover some common flaws with a relatively brief review.
This bug and others existed in your package for over four years (and still
exist in stable today). We might still not know about it if you had not
brought the package to my attention for review. Steve Kemp might have
eventually discovered it in the course of his auditing, but I don't know
whether he is spending his time on non-free software such as angband.
Keep in mind that there are also potentially more than two people interested
in this review process. Another person besides myself has already
volunteered in just the first day of discussion, and I find this very
> The mistake was simple, human, and undesrtandable, but the review does
> not in fact talk about any flaws in the current version of angband
The review, simplistic though it was, uncovered flaws in the package in
stable which were overlooked by the maintainer. This kind of situation is
often preventable through discussion and code review, as you have seen. I
would like to promote this beneficial process within Debian in order to
reduce the workload of the security team and the presence of vulnerabilities
in our stable releases.