Re: Does Debian need to enforce a better Security policy for packages?

To: debian-security@lists.debian.org
Subject: Re: Does Debian need to enforce a better Security policy for packages?
From: Michael Robinson <robinson@netrinsics.com>
Date: Tue, 23 Oct 2001 22:28:02 +0800
Message-id: <20011023222802.A1984@netrinsics.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <20011023095504.J1337@salem.getuid.de>
References: <20011022184619.A8341@dat.etsit.upm.es> <20011022213138.H1337@salem.getuid.de> <20011023011714.A19676@dat.etsit.upm.es> <20011023095504.J1337@salem.getuid.de>

On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote:
> Do you know how difficult and time-consuming it really is to do a manual
> source code audit? Also the available programs for source code audits
> can only give you hints which parts of a program might be suspicious, but
> you still would have to verify everything by hand to be really sure. 

FreeBSD does it for their ports tree.  In fact, this has been a matter of
controversy, as the FreeBSD team issues a huge number of security advisories
for software that really has nothing to do with FreeBSD. This has caused casual
observers to erroneously believe FreeBSD is less secure than other less
carefully managed operating system projects.

Yes, source-code audits are time-consuming.  Time-consuming is different
from "not possible", however.  The alternative is the "ostrich" method of
security management.

	-Michael Robinson

Reply to:

Follow-Ups:
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Christian Kurz <shorty@debian.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Patrice Neff <mailinglists@patrice.ch>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Does Debian need to enforce a better Security policy for packages?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Christian Kurz <shorty@debian.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Re: Does Debian need to enforce a better Security policy for packages?
Next by Date: Re: Two questions about /etc/apt/sources.list
Previous by thread: Re: Does Debian need to enforce a better Security policy for packages?
Next by thread: Re: Does Debian need to enforce a better Security policy for packages?
Index(es):
- Date
- Thread