[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders

On Wed, 21 Mar 2007, Manoj Srivastava wrote:
> The implication, unless I am misreading things here, is that code
> reviews and inspection of upstream changes are ineffectual. Given
> that reviewing code for security is a labour intensive process, the
> inference is that it is not worth doing proactive inspections of
> code for potential problems, and it is better to work on other
> aspects of the project.
> I find that a startling conclusion, and I am wondering if I
> misunderstood, or should we really open the floodgates to
> uninspected code, on the grounds that inspections buy us little, if
> anything?

The point that is (or, rather appears to be) being made is that the
floodgates are already open. Unless you have a relatively complete and
continuously updated understanding of the security bugs which affect
the language in which the package is written and the operating system
upon which it is running, it is almost impossible to do a meaningful
code review for security.[1]

I don't think that's a strong argument against doing them because you
can still catch bugs (security and otherwise) that way, but it is a
strong argument that code reviews by the maintainer are not enough.

It also raises the question that the time spent doing security reviews
of code in Debian by maintainers of their own packages may be better
spent looking for known classes of vulnerabilities distribution wide.

Don Armstrong

1: I know my own understanding of security issues is woefully
incomplete; I can only catch the low hanging fruit there.
My spelling ability, or rather the lack thereof, is one of the wonders
of the modern world.

http://www.donarmstrong.com              http://rzlab.ucr.edu

Reply to: