[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does Debian need to enforce a better Security policy for packages?



On 23/10/01, Michael Robinson wrote:
> On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote:
> > Do you know how difficult and time-consuming it really is to do a manual
> > source code audit? Also the available programs for source code audits
> > can only give you hints which parts of a program might be suspicious, but
> > you still would have to verify everything by hand to be really sure. 

> FreeBSD does it for their ports tree.  In fact, this has been a matter of

Does what? Just look for some suspicous functions or code-fragments or
do a full audiit for the whole source? 

> Yes, source-code audits are time-consuming.  Time-consuming is different
> from "not possible", however.

Why the hell do you try to interpret into my previous e-Mail that I'm
saying they would be "not possible"? Maybe you need to read it again,
but it clearly states, that a full audit of the code for one package
takes an enourmous account of time and that you also need quite lots of
knowledge for such a task. And especially since we talked about having
an audit _before_ having the package be included as a debian package
into the archive, a full audit of all new packages would decrease the
number of packages entering the archive and also take a very long time,
since everyone here is a volunteer. Also you still have the problem left
with about 8000 packages being already included in debian and having
mostly never had a full audit. So for really auditing debian and
ensuring that every malicous code is found and either removed or fixed,
you would have to drop all packages and start with for example init and
audit it. After that once if full audit, you can move on to for example
login and so on, until you audited every package from the current number
of packages completely. Until such an effort has been made to ensure,
that there's currently no malicous code included in debian, a full audit
of new packages would only be the tip of an iceberg.

> The alternative is the "ostrich" method of security management.

What's that kind of method? I never heared about that name.

Christian
-- 
           Debian Developer (http://www.debian.org)
1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpUDD4SMvoID.pgp
Description: PGP signature


Reply to: