Re: Does Debian need to enforce a better Security policy for packages?
On Wed, Oct 24, 2001 at 10:19:59AM +0200, Christian Kurz wrote:
> On 23/10/01, Michael Robinson wrote:
> > On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote:
> > > Do you know how difficult and time-consuming it really is to do a manual
> > > source code audit? Also the available programs for source code audits
> > > can only give you hints which parts of a program might be suspicious, but
> > > you still would have to verify everything by hand to be really sure.
> > FreeBSD does it for their ports tree. In fact, this has been a matter of
> Does what? Just look for some suspicous functions or code-fragments or
> do a full audiit for the whole source?
The FreeBSD approach is to start at the most dangerous end (common SUID root
executables, obvious buffer overflows, etc.) and work towards the least
dangerous end (e.g. race conditions in obscure non-SUID applications) as
time and resources permit. It's a "best effort" approach. There's no
guarantee of catching every bug, but there's a reasonable assurance that
most users aren't exposed to glaring vulnerabilities in the most common
You can go through the BugTraq archives looking for "FreeBSD Ports"
announcements to see the kind of vulnerabilities the FreeBSD team has been
protecting their users from so far.