[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: time for some OpenBSD-style auditing?

I'm definately not a developer but more a Debian enthusiast.  Here is my
thinking and it may not be correct.  

1.  If someone is going to develop software for debian they should be
allowed even if they do not know how to secure it properly.  Since people
are volunteering I would hate to tell someone that they shouldn't
volunteer for software development.

2.  It is a good idea however to set seperate software that has been
tested for good security practices.  As an idea software can not be made
stable until it has gone through rigorous testing.

That's my $.02 as a non developer.


Scott Sawyer
Systems Engineer for VALinux Systems
Member of LUNA (Linux Users of Northern Arizona)
General Computer Geek

On Fri, 29 Dec 2000, Peter Eckersley wrote:

> > If I were Debian dictator (and I'm not even a debian developer, though I am
> > what you guys call an "upstream developer" -- I'm on the GCC steering
> > committee), I'd add a requirement that every package owner certify that he
> > has checked the package s/he maintains for a list of common security
> > problems, and that all problems found have been fixed.
> > 
> Sounds like a good idea.  I'm not a Debian developer either (I'm in the
> NM queue), but I'd suggest that perhaps everyone who is accepted as a
> new maintainer should be required to demonstrate a clear understanding
> of common security holes as part of their "technical competency".
> -- 
> |> |= -+- |= |>
> |  |-  |  |- |\
> Peter Eckersley
> (pde@cs.mu.oz.au)
> http://www.cs.mu.oz.au/~pde
> for techno-leftie inspiration, take a look at
> http://www.computerbank.org.au/

Reply to: