scan debian packages for security vulnerabilitys big time

To: debian-devel@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: scan debian packages for security vulnerabilitys big time
From: Andreas Schuldei <andreas@schuldei.org>
Date: Sun, 5 Nov 2000 22:47:27 +0100
Message-id: <[🔎] 20001105224727.C12812@sigrid.schuldei.com>

I am half way through the NM process and think it is time to ask for opinions
and help for what I would like to adress.

I guess you know OpenBSD? They do not wait till someone discovers a bug in
their distribution, writes an exploit and creates publicity by cracking
servers and defacing websites but they hunt for bugs themselfes. That is what
is called security audit. It can be not replaced by anything, really. It would
be optimal if all debian maintainers became security aware and started to
look for bugs on the source level. But OpenBSD achives their security at the
price of up-to-date packages. E.g. they still use bind 4 and an old sendmail,
because it is well audited and virtually bug free. We want both, of cause:
security and new features.

Since code audit is a really tiresome and time intensive task I could not do
that alone. And most problems would need to be fixed upstreams, anyway. There
is no way to audit faster than all the developer code.

That is why I would like to propose a twofold approach: 
1) try to raise the security awareness of the debian developers and get them
   to audit the code of their packages and perhaps even help their upstream
   authors and
2) do that by providing a syntax/lexical checker for c(++) source (later also
   perl), which might at some point get integrated into the builddaemons
   and/or dpkg-buildpackage (Is this the same? I do know little about build
   deamons or even the internals of dpkg-buildpackage). That checker would
   point out problematic source code and perhaps even generate patches. The
   scope of such a scanner is limited. Real bugs might not be found, false
   alarms might be generated. This is really tricky and not so easy. Luckily,
   other, smarter people thought about this allready and sadly wrote non-free
   code to scan the code. (This is about to change, since the author is
   considering to rewrite the stuff under a free license and enhance the
   program quite a bit.) 
   
For now, I packaged his non-free software (called 'Its The Software, stupid',
short: its4.) and would like to try to integrate it into the debian
development process. 

Now I need help and advice: At which point would it make sense to plug in the
scanner? Who would like to sponsor the its4 package? Is this practicable at
all? Will people ignore the warnings? What else did I forget?

Reply to:

Follow-Ups:
- Re: scan debian packages for security vulnerabilitys big time
  - From: Ola Lundqvist <olalu526@student.liu.se>
- Re: scan debian packages for security vulnerabilitys big time
  - From: Robert van der Meulen <rvdm@cistron.nl>
- Re: scan debian packages for security vulnerabilitys big time
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Re: X 4.0.1 what's the deal?
Next by Date: Re: RFC: initscript policy proposal
Previous by thread: Re: Needs sponsor for qtcups
Next by thread: Re: scan debian packages for security vulnerabilitys big time
Index(es):
- Date
- Thread