Re: scan debian packages for security vulnerabilitys big time

To: debian-devel@lists.debian.org
Subject: Re: scan debian packages for security vulnerabilitys big time
From: Colin Phipps <cphipps@doomworld.com>
Date: Mon, 6 Nov 2000 14:48:56 +0000
Message-id: <[🔎] 20001106144856.A7675@ns0.netcraft.com>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20001106104357.C3325@cistron.nl>; from rvdm@cistron.nl on Mon, Nov 06, 2000 at 10:43:57AM +0100
References: <[🔎] 20001105224727.C12812@sigrid.schuldei.com> <[🔎] 20001106104357.C3325@cistron.nl>

On Mon, Nov 06, 2000 at 10:43:57AM +0100, Robert van der Meulen wrote:
> Quoting Andreas Schuldei (andreas@schuldei.org):
> > started to look for bugs on the source level. But OpenBSD achives their
> > security at the price of up-to-date packages. E.g. they still use bind 4
> > and an old sendmail, because it is well audited and virtually bug free. We
> > want both, of cause: security and new features.
> The OpenBSD team audits their base source, not the ports tree, where a _lot_
> of the 'add-on' software comes from.

Not entirely true, they do strongly encourage security auditing of packages 
before they are added to the ports tree.

> >1) try to raise the security awareness of the debian developers

The easiest way to do this is just to audit some of their packages :-)

> It might be a better idea to set up a small group of people, who start
> auditing packages (starting with 'base'), and who monitor patches for
> 'security critical' packages (like the daemons, suids,etc).
> I know this is far from complete/what you want, but asking every maintainer
> to audit their upstream source is maybe a bit too big a thing.

s/maybe a bit// :-)

IMHO there's no need to "set up a small group". Anyone with the skill and 
time to do so should feel free to do their own auditing. That's what I do.
Redundancy is good for security.

> > For now, I packaged his non-free software (called 'Its The Software,
> > stupid', short: its4.) and would like to try to integrate it into the
> > debian development process. 
> Bad Thing. Automated security scanners give a false sense of security, and
> only hint about possible bugs/mistakes.

But they are a start, and do increase awareness. Personally, I would have 
already submitted a patch to add a Lintian test for '/tmp/*$$' in scripts 
if I'd had the time to learn how to do so.

But they are definitely no substitute for real people. Half of the bug 
reports I file would never have been found by any automated scanner.

--
Colin Phipps <cphipps@doomworld.com>   http://members.xoom.com/colin_phipps/

Reply to:

Follow-Ups:
- Re: scan debian packages for security vulnerabilitys big time
  - From: Robert van der Meulen <rvdm@cistron.nl>

References:
- scan debian packages for security vulnerabilitys big time
  - From: Andreas Schuldei <andreas@schuldei.org>
- Re: scan debian packages for security vulnerabilitys big time
  - From: Robert van der Meulen <rvdm@cistron.nl>

Prev by Date: Re: Bug#76357:
Next by Date: Re: RFC: initscript policy proposal
Previous by thread: Re: scan debian packages for security vulnerabilitys big time
Next by thread: Re: scan debian packages for security vulnerabilitys big time
Index(es):
- Date
- Thread