Re: Maintaining packages properly
On Wed Mar 18, 2009 at 21:01:04 -0400, Micah Anderson wrote:
> However, I do see your point about NEW packages, and it might be
> interesting, if we could get enough security auditors who had the skills
> and the time, to be a part of the NEW process. This could introduce an
> unnecessary delay in the processing of packages, depending on the depth
> and bredth of such an audit. Or even or a false sense of security if
> people think that their packages are free of security holes if they've
> passed NEW.
The security audit project mostly seems to have stalled/died. There
was a time when there were people actively taking part and doing
semi-directed audits of the archive.
These days it is very very rare that anybody does so, which is
unfortunate (speaking both as the person who started it, and as somebody
who would love to have such an effort be more visible and active.)
I've been on the point of updating the webpages several times to
say "this activity is dead, and these are merely historic notes" but
haven't quite wanted to admit defeat.
> > Maybe more people could join the debian security audit team? For a lot
> > of PHP packages it would be enough to check whether certain functions
> > (e.g. htmlspecialchars) are found. If not, this is often an
> > indication of insufficient protection measures.
> Calling all interested security people who have just been dying to
> show their skills, or develop stronger auditing skills!
I think if there is no such response then it is definitely time to
call it a day and cease pretending we have auditors on hand.
Managed Anti-Spam Service