[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

On Sun, Nov 05, 2000 at 10:47:27PM +0100, Andreas Schuldei wrote:
> I am half way through the NM process and think it is time to ask for opinions
> and help for what I would like to adress.
> That is why I would like to propose a twofold approach: 
> 1) try to raise the security awareness of the debian developers and get them
>    to audit the code of their packages and perhaps even help their upstream
>    authors and
> 2) do that by providing a syntax/lexical checker for c(++) source (later also
>    perl), which might at some point get integrated into the builddaemons
>    and/or dpkg-buildpackage (Is this the same? I do know little about build
>    deamons or even the internals of dpkg-buildpackage). That checker would
>    point out problematic source code and perhaps even generate patches. The
>    scope of such a scanner is limited. Real bugs might not be found, false
>    alarms might be generated. This is really tricky and not so easy. Luckily,
>    other, smarter people thought about this allready and sadly wrote non-free
>    code to scan the code. (This is about to change, since the author is
>    considering to rewrite the stuff under a free license and enhance the
>    program quite a bit.) 
> For now, I packaged his non-free software (called 'Its The Software, stupid',
> short: its4.) and would like to try to integrate it into the debian
> development process. 

Well there is a problem that the packages should NOT depend on non-free code.
Not even when building it. If the tool is integrated with the build process
that is a real problem.

> Now I need help and advice: At which point would it make sense to plug in the
> scanner? Who would like to sponsor the its4 package? Is this practicable at
> all? Will people ignore the warnings? What else did I forget?

Such a scanner should be great. Talk with the lintian people. Lintian is a
similar tool. It does not go that deep into the code but makes the packages
follow the policy.

But we have to wait for a free version...

// Ola

 --------------------- Ola Lundqvist ---------------------------
/  olalu526@student.liu.se             Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  ordforande@lysator.liu.se           +46 (0)13-17 69 83       |
|  ola.lundqvist@euronetics.se         +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /

Reply to: