Re: Does Debian need to enforce a better Security policy for packages?

To: debian-security@lists.debian.org
Subject: Re: Does Debian need to enforce a better Security policy for packages?
From: Michael Robinson <robinson@netrinsics.com>
Date: Thu, 25 Oct 2001 20:41:31 +0800
Message-id: <20011025204131.B6072@netrinsics.com>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <20011024101959.C21785@salem.getuid.de>
References: <20011022184619.A8341@dat.etsit.upm.es> <20011022213138.H1337@salem.getuid.de> <20011023011714.A19676@dat.etsit.upm.es> <20011023095504.J1337@salem.getuid.de> <20011023222802.A1984@netrinsics.com> <20011024101959.C21785@salem.getuid.de>

On Wed, Oct 24, 2001 at 10:19:59AM +0200, Christian Kurz wrote:
> On 23/10/01, Michael Robinson wrote:
> > On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote:
> > > Do you know how difficult and time-consuming it really is to do a manual
> > > source code audit? Also the available programs for source code audits
> > > can only give you hints which parts of a program might be suspicious, but
> > > you still would have to verify everything by hand to be really sure. 
> 
> > FreeBSD does it for their ports tree.  In fact, this has been a matter of
> 
> Does what? Just look for some suspicous functions or code-fragments or
> do a full audiit for the whole source? 

The FreeBSD approach is to start at the most dangerous end (common SUID root
executables, obvious buffer overflows, etc.) and work towards the least 
dangerous end (e.g. race conditions in obscure non-SUID applications) as
time and resources permit.  It's a "best effort" approach.  There's no 
guarantee of catching every bug, but there's a reasonable assurance that 
most users aren't exposed to glaring vulnerabilities in the most common
installations.

You can go through the BugTraq archives looking for "FreeBSD Ports"
announcements to see the kind of vulnerabilities the FreeBSD team has been
protecting their users from so far.

	-Michael Robinson

Reply to:

References:
- Does Debian need to enforce a better Security policy for packages?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Christian Kurz <shorty@debian.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Christian Kurz <shorty@debian.org>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Michael Robinson <robinson@netrinsics.com>
- Re: Does Debian need to enforce a better Security policy for packages?
  - From: Christian Kurz <shorty@debian.org>

Prev by Date: Re: Does Debian need to enforce a better Security policy for packages?
Next by Date: Unidentified subject!
Previous by thread: Re: Does Debian need to enforce a better Security policy for packages?
Next by thread: Re: Does Debian need to enforce a better Security policy for packages?
Index(es):
- Date
- Thread