[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: time for some OpenBSD-style auditing?

On Thu, Dec 28, 2000 at 08:46:23PM -0700, John Galt wrote:
[ all developers should audit their code ]
> > 
> > Sounds lovely, in theory.  However, judging by the number of open bugs
> > in some packages, out of date packages, etc, what makes you think
> > developers would take this more seriously?  What proof does one have
> Actually let me chime in at this point and say that personally I'd
> probably prefer non-developers auditing.  If you adopt code as an auditor,
> you lose the objectivity to be able to junk bad code relatively
> quickly...  Auditors should have as little to do with a piece of code
> they're auditing as possible: preferably not even use it.  This way they
> don't fall "in love" with the code and do what's necessary for security...

This is the way to go.  For this to actually work someone will
probably have to form a "team" of decent auditors to start digging and
file bugs as they find them ... I know I'm not qualified :)

Nathan Norman - Staff Engineer | A good plan today is better
Micromuse Inc.                 | than a perfect plan tomorrow.
mailto:nnorman@micromuse.com   |   -- Patton

Attachment: pgp6vxkYitOMl.pgp
Description: PGP signature

Reply to: