[Changed Reply-To to point to the right list]
On 00-11-05 Andreas Schuldei wrote:
> is called security audit. It can be not replaced by anything, really. It would
> be optimal if all debian maintainers became security aware and started to
> look for bugs on the source level. But OpenBSD achives their security at the
This won't be possible as you need a lot of knowledge about security and
programming to do a real audit. It's not enough to have knowledge about
security only or programming only, but it's the combination of both
knowledges that allows you to do audits.
> Since code audit is a really tiresome and time intensive task I could
> not do that alone. And most problems would need to be fixed upstreams,
> anyway. There is no way to audit faster than all the developer code.
Why don't you ask for help on this on security-audit? This list was
originally created for doing audits of unix tools and is seldom used.
(You should know this. :)
> 1) try to raise the security awareness of the debian developers and get them
> to audit the code of their packages and perhaps even help their upstream
> authors and
Raise the security awareness? Yes, but not auditing code, because a lot
of debian developers won't have enough knowledge for you.
> 2) do that by providing a syntax/lexical checker for c(++) source (later also
> perl), which might at some point get integrated into the builddaemons
> and/or dpkg-buildpackage (Is this the same? I do know little about build
This tools help you as much as grepping for some well known unsecure
functions and then inspecting the code for yourself. No tool can every
automate the task of inspecting a source and making a judgment if it's
secure or not.
Ciao
Christian
--
Debian Developer and Quality Assurance Team Member
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpaHVkQe0Us6.pgp
Description: PGP signature