On 00-11-07 Andreas Schuldei wrote: > * Christian Kurz (shorty@debian.org) [001107 00:03]: > > [Changed Reply-To to point to the right list] > Not so sure about that. I do NOT want the security issues to be an issue for > the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part This is the right list if we talk about security or extreme security-related things like a security audit of source code. -devel is not the right list and already cluttered with a lot of topic, so let's move it to the right list. > of the idear. So I do not want the diskussion going on in some remote > mailinglist but for everyone to see and read. If we do not get the idear It's not a remote list. It's a debian list which is open for everyone to join who has a interest in security. Please inform yourself better next time. > across to lots of people, we will not win anything. todays volume of our Why? Can't we talk about the things for first on the correct list and then announce it to the people? Following your idea, we discuss everything now on -devel and remove -policy, -security, -user and so on. > distrubution is out of hand. we have 4000 packages and are not enough (all > developers that is, not just the ones reading debian-security) to look over > our source in any time soon. And numbers get worse, if people are not > educated. You talked first about OpenBSD, where only the base system is really audited and gets audited and now you talk about auditing 4000 packages? What the hell do you have in mind? Please make an exact statement what you want to audit? And please think very careful about the idea of auditing 4000 packages and if that's really needed. > > This won't be possible as you need a lot of knowledge about security and > > programming to do a real audit. It's not enough to have knowledge about > > security only or programming only, but it's the combination of both > > knowledges that allows you to do audits. > We are running debian and most of us speaks at least one programming > language. I guess within the last 3 to 5 years you have learnd things > you were not even aware they existed. It is a continous process and > why should it stopp at secure programming? Because not everyone is interested in programming even if he is a debian developer. You make assumptions here that are not correct and if you read the secure programming faq (You know the URL to it?), you should be aware that security audits of program code are not easy to do and only for advanced programmers and security people. > > Why don't you ask for help on this on security-audit? This list was > > originally created for doing audits of unix tools and is seldom used. > > (You should know this. :) > I should, I am subscribed there. I also see how much progress is made. > the majority of the mails form the last two weeks were of topic and > about the brake in at Microsoft. I guess it were 10 Mails alltogether. > You get my point? Yes, but why do you not ask on this list for help in auditing some source code and using the list for the things it was planned for? Just because currently it's close to dead and has off-topic stuff shouldn't stop someone from using it for the right things, which are on-topic there. > I think, the long term perspective must be to have some AI (yes, > SciFi) doing the simple audits. There is no other way to manage > nowerdays amounts of code. And again I tell you there's no way to automatically do this or either the OpenBSD guys would already be using it? Why do you think they are just auditing the base system and not all the ports? Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpY5SB2wivJg.pgp
Description: PGP signature