scan debian packages for security vulnerabilitys big time
I am half way through the NM process and think it is time to ask for opinions
and help for what I would like to adress.
I guess you know OpenBSD? They do not wait till someone discovers a bug in
their distribution, writes an exploit and creates publicity by cracking
servers and defacing websites but they hunt for bugs themselfes. That is what
is called security audit. It can be not replaced by anything, really. It would
be optimal if all debian maintainers became security aware and started to
look for bugs on the source level. But OpenBSD achives their security at the
price of up-to-date packages. E.g. they still use bind 4 and an old sendmail,
because it is well audited and virtually bug free. We want both, of cause:
security and new features.
Since code audit is a really tiresome and time intensive task I could not do
that alone. And most problems would need to be fixed upstreams, anyway. There
is no way to audit faster than all the developer code.
That is why I would like to propose a twofold approach:
1) try to raise the security awareness of the debian developers and get them
to audit the code of their packages and perhaps even help their upstream
authors and
2) do that by providing a syntax/lexical checker for c(++) source (later also
perl), which might at some point get integrated into the builddaemons
and/or dpkg-buildpackage (Is this the same? I do know little about build
deamons or even the internals of dpkg-buildpackage). That checker would
point out problematic source code and perhaps even generate patches. The
scope of such a scanner is limited. Real bugs might not be found, false
alarms might be generated. This is really tricky and not so easy. Luckily,
other, smarter people thought about this allready and sadly wrote non-free
code to scan the code. (This is about to change, since the author is
considering to rewrite the stuff under a free license and enhance the
program quite a bit.)
For now, I packaged his non-free software (called 'Its The Software, stupid',
short: its4.) and would like to try to integrate it into the debian
development process.
Now I need help and advice: At which point would it make sense to plug in the
scanner? Who would like to sponsor the its4 package? Is this practicable at
all? Will people ignore the warnings? What else did I forget?
Reply to: