Re: scan debian packages for security vulnerabilitys big time
On Mon, Nov 06, 2000 at 10:43:57AM +0100, Robert van der Meulen wrote:
> Quoting Andreas Schuldei (email@example.com):
> > started to look for bugs on the source level. But OpenBSD achives their
> > security at the price of up-to-date packages. E.g. they still use bind 4
> > and an old sendmail, because it is well audited and virtually bug free. We
> > want both, of cause: security and new features.
> The OpenBSD team audits their base source, not the ports tree, where a _lot_
> of the 'add-on' software comes from.
Not entirely true, they do strongly encourage security auditing of packages
before they are added to the ports tree.
> >1) try to raise the security awareness of the debian developers
The easiest way to do this is just to audit some of their packages :-)
> It might be a better idea to set up a small group of people, who start
> auditing packages (starting with 'base'), and who monitor patches for
> 'security critical' packages (like the daemons, suids,etc).
> I know this is far from complete/what you want, but asking every maintainer
> to audit their upstream source is maybe a bit too big a thing.
s/maybe a bit// :-)
IMHO there's no need to "set up a small group". Anyone with the skill and
time to do so should feel free to do their own auditing. That's what I do.
Redundancy is good for security.
> > For now, I packaged his non-free software (called 'Its The Software,
> > stupid', short: its4.) and would like to try to integrate it into the
> > debian development process.
> Bad Thing. Automated security scanners give a false sense of security, and
> only hint about possible bugs/mistakes.
But they are a start, and do increase awareness. Personally, I would have
already submitted a patch to add a Lintian test for '/tmp/*$$' in scripts
if I'd had the time to learn how to do so.
But they are definitely no substitute for real people. Half of the bug
reports I file would never have been found by any automated scanner.
Colin Phipps <firstname.lastname@example.org> http://members.xoom.com/colin_phipps/