[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

* Christian Kurz (shorty@debian.org) [001107 00:03]:
> [Changed Reply-To to point to the right list]

Not so sure about that. I do NOT want the security issues to be an issue for
the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part
of the idear. So I do not want the diskussion going on in some remote
mailinglist but for everyone to see and read. If we do not get the idear
across to lots of people, we will not win anything. todays volume of our
distrubution is out of hand. we have 4000 packages and are not enough (all
developers that is, not just the ones reading debian-security) to look over
our source in any time soon. And numbers get worse, if people are not

> This won't be possible as you need a lot of knowledge about security and
> programming to do a real audit. It's not enough to have knowledge about
> security only or programming only, but it's the combination of both
> knowledges that allows you to do audits.

We are running debian and most of us speaks at least one programming language.
I guess within the last 3 to 5 years you have learnd things you were not even
aware they existed. It is a continous process and why should it stopp at
secure programming?

> Why don't you ask for help on this on security-audit? This list was
> originally created for doing audits of unix tools and is seldom used.
> (You should know this. :)

I should, I am subscribed there. I also see how much progress is made. the
majority of the mails form the last two weeks were of topic and about the
brake in at Microsoft. I guess it were 10 Mails alltogether. You get my point?

I think, the long term perspective must be to have some AI (yes, SciFi) doing
the simple audits. There is no other way to manage nowerdays amounts of code. 

We (that is: you; I just started) have acomplished a lot; why not invest some
brains in a way to do better automated audits?

Reply to: