Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote:
> Do you know how difficult and time-consuming it really is to do a manual
> source code audit? Also the available programs for source code audits
> can only give you hints which parts of a program might be suspicious, but
> you still would have to verify everything by hand to be really sure.
FreeBSD does it for their ports tree. In fact, this has been a matter of
controversy, as the FreeBSD team issues a huge number of security advisories
for software that really has nothing to do with FreeBSD. This has caused casual
observers to erroneously believe FreeBSD is less secure than other less
carefully managed operating system projects.
Yes, source-code audits are time-consuming. Time-consuming is different
from "not possible", however. The alternative is the "ostrich" method of