[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

* Colin Mattson (colol@ionet.net) [001106 01:20]:
> I was referring to doing so /after/ installing a system.  There are many tools
> available (NESSUS, SATAN) which will check for common bugs in your services,
> as well as many ways to do it by hand.

That is another quality. This aproach is not about konfiguration, it is about
the source. konfiguration wise debian is doing fine.

> > > Non-DFSG-free software in the build process would be a big no-no.
> > 
> > debian would not depend on this tool. not more than it depended on pgp (when
> > gpg was not available yet).
> PGP wasn't used in the building, it was used AFTER the build.  Signing packages
> is a lot different than having a tool scan the source during the packaging and
> generating diffs. 

The non-free its4 would not gernerat diffs, it would print the critical code
and explain what is bad.

> This tool would be used during the build, which would make

I think it is of no concern in which phase of the build process it is used.
the point is that it is used at all. Or that pgp was used at all.

Reply to: