Il giorno sab, 22/10/2005 alle 23.19 +0200, Javier Fernández-Sanguino Peña ha scritto: > I asked a while back to make some things policy, one of those was describing > how systems users should be created and ask packages to use those instead of > providing daemons with full root privileges (see #291177). Well, this was > some time ago, and I'm surprised to see stuff like this: #334616 (a sound > daemon running with *full* *root* privileges). > > I've decided to write a section for the Developer's Reference called "Best > practices for security review and design". I think the Audit team (and > security team) would have less of a job if the maintainers where > knowledgeable enough to fix security bugs in packages before they are > uploaded and to detect software which is so bug-ridden with security issues > that it should never enter the archive. > > The diff is attached (I'm going to commit it right away, I hope the > Developer's Reference maintainers don't mind) and I'm looking for help to > proofread it and extend it. If we could write a good section I think we > should go ahead and mail debian-devel-announce so that people are forewarned > and don't get bitten by us in the future so much. It would also be useful to > point maintainers to when they don't understand a bug sent by the audit team. I think your writing is clear. Bye Stefano -- Stefano Canepa aka sc: sc@linux.it http://www.stefanocanepa.it Three great virtues of a programmer: laziness, impatience and hubris. Le tre grandi virtù di un programmatore: pigrizia, impazienza e arroganza. (Larry Wall)
Attachment:
signature.asc
Description: This is a digitally signed message part