Re: scan debian packages for security vulnerabilitys big time

To: debian-devel@lists.debian.org
Cc: Andreas Schuldei <andreas@schuldei.org>
Subject: Re: scan debian packages for security vulnerabilitys big time
From: Ola Lundqvist <olalu526@student.liu.se>
Date: Sun, 5 Nov 2000 23:24:20 +0100
Message-id: <[🔎] 20001105232419.A8372@diamond.opal.dhs.org>
Mail-followup-to: Ola Lundqvist <olalu526@student.liu.se>, debian-devel@lists.debian.org, Andreas Schuldei <andreas@schuldei.org>
Reply-to: olalu526@student.liu.se
In-reply-to: <[🔎] 20001105224727.C12812@sigrid.schuldei.com>; from andreas@schuldei.org on Sun, Nov 05, 2000 at 10:47:27PM +0100
References: <[🔎] 20001105224727.C12812@sigrid.schuldei.com>

On Sun, Nov 05, 2000 at 10:47:27PM +0100, Andreas Schuldei wrote:
> I am half way through the NM process and think it is time to ask for opinions
> and help for what I would like to adress.
> 
> That is why I would like to propose a twofold approach: 
> 1) try to raise the security awareness of the debian developers and get them
>    to audit the code of their packages and perhaps even help their upstream
>    authors and
> 2) do that by providing a syntax/lexical checker for c(++) source (later also
>    perl), which might at some point get integrated into the builddaemons
>    and/or dpkg-buildpackage (Is this the same? I do know little about build
>    deamons or even the internals of dpkg-buildpackage). That checker would
>    point out problematic source code and perhaps even generate patches. The
>    scope of such a scanner is limited. Real bugs might not be found, false
>    alarms might be generated. This is really tricky and not so easy. Luckily,
>    other, smarter people thought about this allready and sadly wrote non-free
>    code to scan the code. (This is about to change, since the author is
>    considering to rewrite the stuff under a free license and enhance the
>    program quite a bit.) 
>    
> For now, I packaged his non-free software (called 'Its The Software, stupid',
> short: its4.) and would like to try to integrate it into the debian
> development process. 

Well there is a problem that the packages should NOT depend on non-free code.
Not even when building it. If the tool is integrated with the build process
that is a real problem.

> Now I need help and advice: At which point would it make sense to plug in the
> scanner? Who would like to sponsor the its4 package? Is this practicable at
> all? Will people ignore the warnings? What else did I forget?

Such a scanner should be great. Talk with the lintian people. Lintian is a
similar tool. It does not go that deep into the code but makes the packages
follow the policy.

But we have to wait for a free version...

// Ola

-- 
 --------------------- Ola Lundqvist ---------------------------
/  olalu526@student.liu.se             Björnkärrsgatan 5 A.11   \
|  opal@lysator.liu.se                 584 36 LINKÖPING         |
|  ordforande@lysator.liu.se           +46 (0)13-17 69 83       |
|  ola.lundqvist@euronetics.se         +46 (0)70-332 1551       |
|  http://www.opal.dhs.org             UIN/icq: 4912500         |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36  4FE4 18A1 B1CF 0FE5 3DD9 /
 ---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: scan debian packages for security vulnerabilitys big time
  - From: Andreas Schuldei <andreas@schuldei.org>

References:
- scan debian packages for security vulnerabilitys big time
  - From: Andreas Schuldei <andreas@schuldei.org>

Prev by Date: ITP: its4
Next by Date: Re: take over xcdroast (Re: Orphaning some packages)
Previous by thread: scan debian packages for security vulnerabilitys big time
Next by thread: Re: scan debian packages for security vulnerabilitys big time
Index(es):
- Date
- Thread