Re: scan debian packages for security vulnerabilitys big time
Quoting Colin Phipps (cphipps@doomworld.com):
> > The OpenBSD team audits their base source, not the ports tree, where a
> > _lot_ of the 'add-on' software comes from.
> Not entirely true, they do strongly encourage security auditing of
> packages before they are added to the ports tree.
true.
> > >1) try to raise the security awareness of the debian developers
> The easiest way to do this is just to audit some of their packages :-)
:)
> IMHO there's no need to "set up a small group". Anyone with the skill and
> time to do so should feel free to do their own auditing. That's what I do.
> Redundancy is good for security.
Maybe it's a good idea to 'formalize' this a bit, and setup something like a
mailinglist (say 'debian-auditors'), to discuss this kind of stuff, and to
'divide' packages to audit ?
I wouldn't mind coordinating this, and maintaining a page to track
progress/track package-audit-assignments.
> > Bad Thing. Automated security scanners give a false sense of security,
> > and only hint about possible bugs/mistakes.
> But they are a start, and do increase awareness. Personally, I would have
> already submitted a patch to add a Lintian test for '/tmp/*$$' in scripts
> if I'd had the time to learn how to do so.
The awareness is already there when you use something like its4 (when it's
not a 'default' thing to do)..If people know how to value the results, and
use it as an extra 'tool' to assist in auditing, there is no problem at all
;)
Robert
--
| rvdm@cistron.nl - Cistron Internet Services - www.cistron.nl |
| php3/c/perl/html/c++/sed/awk/linux/sql/cgi/security |
| My statements are mine, and not necessarily cistron's. |
"well you should probably thank me anyway,
those disks needed a major clean up :)" -- Cracker
Reply to: