[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Who should I report source audits too?

On Wed, Jan 08, 2003 at 12:04:30PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:

> 	Even if not being Debian-specific I just wanted to make you aware
> of an audit project for Linux-security related software available at
> Sardonix: https://sardonix.org/

  Thanks for the link, the site looks interesting.

  I think it's wrong to focus upon purely security related software
 though - as this misses out upon many vulnerable programs.   I guess
 the plus side of narrowing your focus is that you have a much better
 idea of the size of the task, and it's suggests an obvious ordering

> 	Steve, I believe they already have a database ready for audits
> including popular programs. 

  I do indeed, it's not yet public though as it requires some fine-tuning.

  At the moment I'm generating a list of packages based upon binaries which
 are setuid/setgid within sarge and ordering those packages upon the results
 of the Debian popularity contest.

  Right now my time is a little limitted so there's still a bit of work
 to be done - and when I have the time I'm just picking a package at random
 installed upon my machine at home!

> 	Why not cooperate with them and put the results of your audits in
> that site too? Maybe you could audit Debian-related packages and submit
> information both to them, to the upstream developers and to the Debian
> security team.

  That might be useful - so far I'm finding a depressing number of flaws
 in code, but having little response in getting patches accepted, or even
 vulnerabilities acknowledged.

  It's almost enough to tempt me to post to bugtraq ;)


Attachment: pgpwlzMFMEdz_.pgp
Description: PGP signature

Reply to: