Re: scan debian packages for security vulnerabilitys big time
Quoting Colin Phipps (firstname.lastname@example.org):
> > The OpenBSD team audits their base source, not the ports tree, where a
> > _lot_ of the 'add-on' software comes from.
> Not entirely true, they do strongly encourage security auditing of
> packages before they are added to the ports tree.
> > >1) try to raise the security awareness of the debian developers
> The easiest way to do this is just to audit some of their packages :-)
> IMHO there's no need to "set up a small group". Anyone with the skill and
> time to do so should feel free to do their own auditing. That's what I do.
> Redundancy is good for security.
Maybe it's a good idea to 'formalize' this a bit, and setup something like a
mailinglist (say 'debian-auditors'), to discuss this kind of stuff, and to
'divide' packages to audit ?
I wouldn't mind coordinating this, and maintaining a page to track
> > Bad Thing. Automated security scanners give a false sense of security,
> > and only hint about possible bugs/mistakes.
> But they are a start, and do increase awareness. Personally, I would have
> already submitted a patch to add a Lintian test for '/tmp/*$$' in scripts
> if I'd had the time to learn how to do so.
The awareness is already there when you use something like its4 (when it's
not a 'default' thing to do)..If people know how to value the results, and
use it as an extra 'tool' to assist in auditing, there is no problem at all
| email@example.com - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
"well you should probably thank me anyway,
those disks needed a major clean up :)" -- Cracker