Re: scan debian packages for security vulnerabilitys big time
On Mon, Nov 06, 2000 at 12:52:44AM +0100, Andreas Schuldei wrote:
> > Prevention's still the best prescription (if you're
> > adminning a system, you'd darn well better be performing your own audits
> > anyway, not relying on the author and distribution to do it for you),
> > but in certain situations may not always be possible or easily done.
> The tiny OpenBSD base system is under a three year non-stop audit. I want to
> see the admin who does such a audit before he installs a system. No single
> human beeing can do this efficintly nowerdays.
I was referring to doing so /after/ installing a system. There are many tools
available (NESSUS, SATAN) which will check for common bugs in your services,
as well as many ways to do it by hand.
> > Non-DFSG-free software in the build process would be a big no-no.
> debian would not depend on this tool. not more than it depended on pgp (when
> gpg was not available yet).
PGP wasn't used in the building, it was used AFTER the build. Signing packages
is a lot different than having a tool scan the source during the packaging and
generating diffs. This tool would be used during the build, which would make
the build depend on it (if it became became part of the build process, anyway).