[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

On Mon, Nov 06, 2000 at 10:43:57AM +0100, Robert van der Meulen wrote:
> Quoting Andreas Schuldei (andreas@schuldei.org):
> > started to look for bugs on the source level. But OpenBSD achives their
> > security at the price of up-to-date packages. E.g. they still use bind 4
> > and an old sendmail, because it is well audited and virtually bug free. We
> > want both, of cause: security and new features.
> The OpenBSD team audits their base source, not the ports tree, where a _lot_
> of the 'add-on' software comes from.

Not entirely true, they do strongly encourage security auditing of packages 
before they are added to the ports tree.

> >1) try to raise the security awareness of the debian developers

The easiest way to do this is just to audit some of their packages :-)

> It might be a better idea to set up a small group of people, who start
> auditing packages (starting with 'base'), and who monitor patches for
> 'security critical' packages (like the daemons, suids,etc).
> I know this is far from complete/what you want, but asking every maintainer
> to audit their upstream source is maybe a bit too big a thing.

s/maybe a bit// :-)

IMHO there's no need to "set up a small group". Anyone with the skill and 
time to do so should feel free to do their own auditing. That's what I do.
Redundancy is good for security.

> > For now, I packaged his non-free software (called 'Its The Software,
> > stupid', short: its4.) and would like to try to integrate it into the
> > debian development process. 
> Bad Thing. Automated security scanners give a false sense of security, and
> only hint about possible bugs/mistakes.

But they are a start, and do increase awareness. Personally, I would have 
already submitted a patch to add a Lintian test for '/tmp/*$$' in scripts 
if I'd had the time to learn how to do so.

But they are definitely no substitute for real people. Half of the bug 
reports I file would never have been found by any automated scanner.

Colin Phipps <cphipps@doomworld.com>   http://members.xoom.com/colin_phipps/

Reply to: