[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: scan debian packages for security vulnerabilitys big time

On 00-11-07 Andreas Schuldei wrote:
> * Christian Kurz (shorty@debian.org) [001107 00:03]:
> > [Changed Reply-To to point to the right list]

> Not so sure about that. I do NOT want the security issues to be an issue for
> the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part

This is the right list if we talk about security or extreme
security-related things like a security audit of source code. -devel is
not the right list and already cluttered with a lot of topic, so let's
move it to the right list. 

> of the idear. So I do not want the diskussion going on in some remote
> mailinglist but for everyone to see and read. If we do not get the idear

It's not a remote list. It's a debian list which is open for everyone to
join who has a interest in security. Please inform yourself better next

> across to lots of people, we will not win anything. todays volume of our

Why? Can't we talk about the things for first on the correct list and
then announce it to the people? Following your idea, we discuss
everything now on -devel and remove -policy, -security, -user and so on.

> distrubution is out of hand. we have 4000 packages and are not enough (all
> developers that is, not just the ones reading debian-security) to look over
> our source in any time soon. And numbers get worse, if people are not
> educated. 

You talked first about OpenBSD, where only the base system is really
audited and gets audited and now you talk about auditing 4000 packages?
What the hell do you have in mind? Please make an exact statement what
you want to audit? And please think very careful about the idea of
auditing 4000 packages and if that's really needed.

> > This won't be possible as you need a lot of knowledge about security and
> > programming to do a real audit. It's not enough to have knowledge about
> > security only or programming only, but it's the combination of both
> > knowledges that allows you to do audits.

> We are running debian and most of us speaks at least one programming
> language.  I guess within the last 3 to 5 years you have learnd things
> you were not even aware they existed. It is a continous process and
> why should it stopp at secure programming?

Because not everyone is interested in programming even if he is a debian
developer. You make assumptions here that are not correct and if you
read the secure programming faq (You know the URL to it?), you should be
aware that security audits of program code are not easy to do and only
for advanced programmers and security people.

> > Why don't you ask for help on this on security-audit? This list was
> > originally created for doing audits of unix tools and is seldom used.
> > (You should know this. :)

> I should, I am subscribed there. I also see how much progress is made.
> the majority of the mails form the last two weeks were of topic and
> about the brake in at Microsoft. I guess it were 10 Mails alltogether.
> You get my point?

Yes, but why do you not ask on this list for help in auditing some
source code and using the list for the things it was planned for? Just
because currently it's close to dead and has off-topic stuff shouldn't
stop someone from using it for the right things, which are on-topic

> I think, the long term perspective must be to have some AI (yes,
> SciFi) doing the simple audits. There is no other way to manage
> nowerdays amounts of code. 

And again I tell you there's no way to automatically do this or either
the OpenBSD guys would already be using it? Why do you think they are
just auditing the base system and not all the ports?

          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpY5SB2wivJg.pgp
Description: PGP signature

Reply to: