time for some OpenBSD-style auditing?
Notice that security holes fall into classes? One category of hole
should be easy to eliminate from Debian by instituting a code auditing
requirement. I'm referring to insecure creation of temporary files,
allowing for symlink attacks. Now that we all know what this hole looks
like, it should be simple to eliminate.
The other big source of common security holes, buffer overruns, is tougher
to eliminate completely because they can be tough to spot. But there's no
excuse now for anyone to put out another GNU/Linux distribution containing
a program that creates temporary files insecurely. If I were Debian
dictator (and I'm not even a debian developer, though I am what you guys
call an "upstream developer" -- I'm on the GCC steering committee), I'd
add a requirement that every package owner certify that he has checked the
package s/he maintains for a list of common security problems, and that
all problems found have been fixed.
I call this "OpenBSD style" because they are the only folks currently
doing this -- everyone else takes a reactive approach to security
problems, not fixing them until someone posts a root exploit. We
can do better.