[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Developers vs Uploaders

On Wed, 21 Mar 2007 18:12:39 -0700, Don Armstrong <don@debian.org> said: 

> On Wed, 21 Mar 2007, Manoj Srivastava wrote:
>> Buffer overflows are _still_ being exploited, decades after it is
>> known that unchecked user input fed to memory allocated on the
>> stack. And it does not take a rocket scientist to spot a buffer
>> overflow.

> Some buffer overflows are easy to spot, but others are quite
> difficult. I'd like to think that the people who have reviewed
> openbsd's network stack are at least passingly familiar with buffer
> overflows, and even they've missed them.

>> I think that evil hacker dudes are not quite so devilishly clever;
>> there are broad swathes of exploits that stem from very few, well
>> known classes of programming errors.

> The classes are well known, but the implementations of those errors
> can be wildly inventive.

        Can be, sure.  But very rarely are.  Complex and Byzantinew,
 yes. Inventive, no.

>> And you do not need to be up to snuff in the latest kiddie exploit
>> to do so.

> To find low hanging fruit, sure, but to actually be able to say that
> you've properly reviewed the code requires knowing a great deal
> about all of the classes of exploits, not just the common ones.

        I don't think anyone in their right minds makes assertions
 that they have found all security flaws in code.

>> Nothing is ever enough. There is no last bug, security or
>> otherwise.  But perfection is not the enemy of the good -- and
>> stopping efforts to improve security or decrease the bug density
>> because one can not reach perfection is .... weak.

> No one is arguing that code shouldn't be reviewed. The argument that
> is being made is that we should acknowledge that some code in the
> archive is not or cannot be properly reviewed, and from that
> position act to minimize the damage such code can cause.

        The argument, if I can follow the htread, is about people who
 review every line of code, like myself, for all new upstream, and
 anything we sponsor, and whether such activity is desirable and
 productive.

        My contention is that code review by a developer adds
 value. It is not perfect, and it is not the final word, but using
 that argument --- that the code review by a developer does not catch
 all errors and thus is irrelevant -- is kinda silly.


        I have no idea where you picked, in this thread, the idea that
 people say that _only_ developer reviews are all that is important --
 but it certainly was not from me, nor from anyone who has been
 talking on this thread.

        So you seem to be attacking a strawman -- and we are drifting
 from the point I was raising, which was the position that code
 reviews by developers provide no value, and need not be encouraged.
 Despite the fact that there are few, if none, system wide exploit
 pattern searches conducted on any kind of a regular schedule, if at
 all. 

        manoj
-- 
God made everything out of nothing, but the nothingness shows
through. Paul Valery
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Reply to: