On Wed, Jan 08, 2003 at 12:04:30PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote: > Even if not being Debian-specific I just wanted to make you aware > of an audit project for Linux-security related software available at > Sardonix: https://sardonix.org/ Thanks for the link, the site looks interesting. I think it's wrong to focus upon purely security related software though - as this misses out upon many vulnerable programs. I guess the plus side of narrowing your focus is that you have a much better idea of the size of the task, and it's suggests an obvious ordering method. > Steve, I believe they already have a database ready for audits > including popular programs. I do indeed, it's not yet public though as it requires some fine-tuning. At the moment I'm generating a list of packages based upon binaries which are setuid/setgid within sarge and ordering those packages upon the results of the Debian popularity contest. Right now my time is a little limitted so there's still a bit of work to be done - and when I have the time I'm just picking a package at random installed upon my machine at home! > Why not cooperate with them and put the results of your audits in > that site too? Maybe you could audit Debian-related packages and submit > information both to them, to the upstream developers and to the Debian > security team. That might be useful - so far I'm finding a depressing number of flaws in code, but having little response in getting patches accepted, or even vulnerabilities acknowledged. It's almost enough to tempt me to post to bugtraq ;) Steve ---
Attachment:
pgpwlzMFMEdz_.pgp
Description: PGP signature