[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

[Changed Reply-To to point to the right list]

On 00-11-05 Andreas Schuldei wrote:
> is called security audit. It can be not replaced by anything, really. It would
> be optimal if all debian maintainers became security aware and started to
> look for bugs on the source level. But OpenBSD achives their security at the

This won't be possible as you need a lot of knowledge about security and
programming to do a real audit. It's not enough to have knowledge about
security only or programming only, but it's the combination of both
knowledges that allows you to do audits.

> Since code audit is a really tiresome and time intensive task I could
> not do that alone. And most problems would need to be fixed upstreams,
> anyway. There is no way to audit faster than all the developer code.

Why don't you ask for help on this on security-audit? This list was
originally created for doing audits of unix tools and is seldom used.
(You should know this. :)

> 1) try to raise the security awareness of the debian developers and get them
>    to audit the code of their packages and perhaps even help their upstream
>    authors and

Raise the security awareness? Yes, but not auditing code, because a lot
of debian developers won't have enough knowledge for you.

> 2) do that by providing a syntax/lexical checker for c(++) source (later also
>    perl), which might at some point get integrated into the builddaemons
>    and/or dpkg-buildpackage (Is this the same? I do know little about build

This tools help you as much as grepping for some well known unsecure
functions and then inspecting the code for yourself. No tool can every
automate the task of inspecting a source and making a judgment if it's
secure or not.

          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpJRosNdOjS8.pgp
Description: PGP signature

Reply to: