Re: Does Debian need to enforce a better Security policy for packages?
On Tue, Oct 23, 2001 at 10:28:02PM +0800, Michael Robinson wrote:
> FreeBSD does it for their ports tree. In fact, this has been a matter of
> controversy, as the FreeBSD team issues a huge number of security advisories
> for software that really has nothing to do with FreeBSD. This has caused casual
> observers to erroneously believe FreeBSD is less secure than other less
> carefully managed operating system projects.
Yes, you can get the same impression from Debian by checking
bugtraq's vulnerability database. You can never know if security issues
arise due to
a) security conscious people checking stuff
b) security unconscious people ignoring it.
> Yes, source-code audits are time-consuming. Time-consuming is different
> from "not possible", however. The alternative is the "ostrich" method of
> security management.
Not that I can spare time to offer myself, but didn't a group of
people show up some interest in starting a code audit for Debian (starting
with the base packages).
In any case, Debian does benefit from other code audits (take the
kernel for example)...