Re: Who should I report source audits too?
On Fri, 25 Oct 2002, Steve Kemp wrote:
> On Thu, Oct 24, 2002 at 06:43:56PM -0500, Drew Scott Daniels wrote:
>
> > I have started an unofficial auditing project on sourceforge. It was my
> > intention to talk to debian-devel about what I should do, however the open
> > policy of Debian leads me to believe that posting the raw audits in the
> > sourceforge project would be partially acceptable as long as bugs were
> > filed by hand.
>
> I hope a little duplication of effort isn't a problem, because I just
> started to create some webpages myself:
>
> http://www.steve.org.uk/Debian/
>
> Those pages contain a list of packages which will be auditted, and
> some of the results so far. (Some results have been kept private).
>
> It was my intention to move the static pages to some kind of database
> driven site, but I didn't have the time yesterday.
>
> Would you share the URL or the project name for your project?
>
"Debian rough audits" is at https://sourceforge.net/projects/debraudit/ ,
but has almost nothing. I have a brief plan on the web site and a trove
description. I've been waiting until I had more time to investigate rough
auditing tools. I'd actually like to see a regular audit of all Debian
code similar to what it sounds that OpenBSD likes.
I would like to add people to the project and I'm glad to see that I'm not
the only person interested in rough audits of Debian.
> > If the bug covers multiple distributions (ones other than Debian) then
Policies need to be gathered and maintained for security related projects.
I hope to have policy documents closely linked to the security audit
project. The project will also need warnings that the audits are rough. I
believe that despite the arguments against it, rough audits are better than
no audits, but I do agree with critics that full audits are better than
rough audits.
Reply to: