[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

Quoting Colin Phipps (cphipps@doomworld.com):
> > The OpenBSD team audits their base source, not the ports tree, where a
> > _lot_ of the 'add-on' software comes from.
> Not entirely true, they do strongly encourage security auditing of
> packages before they are added to the ports tree.

> > >1) try to raise the security awareness of the debian developers
> The easiest way to do this is just to audit some of their packages :-)

> IMHO there's no need to "set up a small group". Anyone with the skill and
> time to do so should feel free to do their own auditing. That's what I do.
> Redundancy is good for security.
Maybe it's a good idea to 'formalize' this a bit, and setup something like a
mailinglist (say 'debian-auditors'), to discuss this kind of stuff, and to
'divide' packages to audit ?
I wouldn't mind coordinating this, and maintaining a page to track 
progress/track package-audit-assignments.

> > Bad Thing. Automated security scanners give a false sense of security,
> > and only hint about possible bugs/mistakes.
> But they are a start, and do increase awareness. Personally, I would have
> already submitted a patch to add a Lintian test for '/tmp/*$$' in scripts
> if I'd had the time to learn how to do so.
The awareness is already there when you use something like its4 (when it's
not a 'default' thing to do)..If people know how to value the results, and
use it as an extra 'tool' to assist in auditing, there is no problem at all


|      rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl        |  
|          php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security             |
|         My statements are mine, and not necessarily cistron's.           |
		 "well you should probably thank me anyway, 
	     those disks needed a major clean up :)" -- Cracker

Reply to: