[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: setuid/setgid binaries contained in the Debian repository.

On Sun, Aug 03, 2003 at 03:14:23AM -0400, Matt Zimmerman wrote:

> Surely two people would be an improvement over the current situation, where
> there is no review at all.  Our demonstration has shown how one person can
> discover some common flaws with a relatively brief review.

  *Exactly*.  Well said.
> Keep in mind that there are also potentially more than two people interested
> in this review process.  Another person besides myself has already
> volunteered in just the first day of discussion, and I find this very
> encouraging.

  I find that very pleasing also.  I have no desire to go down a *BSD
 route and audit every single thing, (mostly due to a lack of time),
 but it's good to see that there are people interested in this kind of

> I would like to promote this beneficial process within Debian in order to
> reduce the workload of the security team and the presence of vulnerabilities
> in our stable releases.

  I did feel a little guilty when reporting so many issues that I was
 putting unfair pressure upon the security team to release fixes, but I
 assumed if that were the case somebody would tell me.
  Anything that could make it easier for the security team to do their
 job is a good thing as you do such a good and important job.  Thanks to
 all of you.


Attachment: pgpYJJnb_yyjo.pgp
Description: PGP signature

Reply to: