On 23/10/01, Michael Robinson wrote: > On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote: > > Do you know how difficult and time-consuming it really is to do a manual > > source code audit? Also the available programs for source code audits > > can only give you hints which parts of a program might be suspicious, but > > you still would have to verify everything by hand to be really sure. > FreeBSD does it for their ports tree. In fact, this has been a matter of Does what? Just look for some suspicous functions or code-fragments or do a full audiit for the whole source? > Yes, source-code audits are time-consuming. Time-consuming is different > from "not possible", however. Why the hell do you try to interpret into my previous e-Mail that I'm saying they would be "not possible"? Maybe you need to read it again, but it clearly states, that a full audit of the code for one package takes an enourmous account of time and that you also need quite lots of knowledge for such a task. And especially since we talked about having an audit _before_ having the package be included as a debian package into the archive, a full audit of all new packages would decrease the number of packages entering the archive and also take a very long time, since everyone here is a volunteer. Also you still have the problem left with about 8000 packages being already included in debian and having mostly never had a full audit. So for really auditing debian and ensuring that every malicous code is found and either removed or fixed, you would have to drop all packages and start with for example init and audit it. After that once if full audit, you can move on to for example login and so on, until you audited every package from the current number of packages completely. Until such an effort has been made to ensure, that there's currently no malicous code included in debian, a full audit of new packages would only be the tip of an iceberg. > The alternative is the "ostrich" method of security management. What's that kind of method? I never heared about that name. Christian -- Debian Developer (http://www.debian.org) 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgp_Jswdct28K.pgp
Description: PGP signature