[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Maintaining packages properly

On Wed Mar 18, 2009 at 21:01:04 -0400, Micah Anderson wrote:

> However, I do see your point about NEW packages, and it might be
> interesting, if we could get enough security auditors who had the skills
> and the time, to be a part of the NEW process. This could introduce an
> unnecessary delay in the processing of packages, depending on the depth
> and bredth of such an audit. Or even or a false sense of security if
> people think that their packages are free of security holes if they've
> passed NEW.

  The security audit project mostly seems to have stalled/died.  There
 was a time when there were people actively taking part and doing
 semi-directed audits of the archive.

  These days it is very very rare that anybody does so, which is
 unfortunate (speaking both as the person who started it, and as somebody
 who would love to have such an effort be more visible and active.)

  I've been on the point of updating the webpages several times to
 say "this activity is dead, and these are merely historic notes" but
 haven't quite wanted to admit defeat.

> > Maybe more people could join the debian security audit team? For a lot
> > of PHP packages it would be enough to check whether certain functions
> > (e.g.  htmlspecialchars) are found. If not, this is often an
> > indication of insufficient protection measures.
> Calling all interested security people who have just been dying to
> show their skills, or develop stronger auditing skills!

  I think if there is no such response then it is definitely time to
 call it a day and cease pretending we have auditors on hand.

Managed Anti-Spam Service

Reply to: