Re: scan debian packages for security vulnerabilitys big time
On Sun, Nov 05, 2000 at 10:47:27PM +0100, Andreas Schuldei wrote:
> I am half way through the NM process and think it is time to ask for opinions
> and help for what I would like to adress.
>
> That is why I would like to propose a twofold approach:
> 1) try to raise the security awareness of the debian developers and get them
> to audit the code of their packages and perhaps even help their upstream
> authors and
> 2) do that by providing a syntax/lexical checker for c(++) source (later also
> perl), which might at some point get integrated into the builddaemons
> and/or dpkg-buildpackage (Is this the same? I do know little about build
> deamons or even the internals of dpkg-buildpackage). That checker would
> point out problematic source code and perhaps even generate patches. The
> scope of such a scanner is limited. Real bugs might not be found, false
> alarms might be generated. This is really tricky and not so easy. Luckily,
> other, smarter people thought about this allready and sadly wrote non-free
> code to scan the code. (This is about to change, since the author is
> considering to rewrite the stuff under a free license and enhance the
> program quite a bit.)
>
> For now, I packaged his non-free software (called 'Its The Software, stupid',
> short: its4.) and would like to try to integrate it into the debian
> development process.
Well there is a problem that the packages should NOT depend on non-free code.
Not even when building it. If the tool is integrated with the build process
that is a real problem.
> Now I need help and advice: At which point would it make sense to plug in the
> scanner? Who would like to sponsor the its4 package? Is this practicable at
> all? Will people ignore the warnings? What else did I forget?
Such a scanner should be great. Talk with the lintian people. Lintian is a
similar tool. It does not go that deep into the code but makes the packages
follow the policy.
But we have to wait for a free version...
// Ola
--
--------------------- Ola Lundqvist ---------------------------
/ olalu526@student.liu.se Björnkärrsgatan 5 A.11 \
| opal@lysator.liu.se 584 36 LINKÖPING |
| ordforande@lysator.liu.se +46 (0)13-17 69 83 |
| ola.lundqvist@euronetics.se +46 (0)70-332 1551 |
| http://www.opal.dhs.org UIN/icq: 4912500 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
Reply to: