Re: realpath(3) et al
From: Mike Hoskins (mike_at_adept.org)
Date: Mon, 11 Aug 2003 16:14:52 -0700 (PDT) To: firstname.lastname@example.org
On Mon, 11 Aug 2003, Kris Kennaway wrote:
> Help with auditing is always welcomed. See the freebsd-audit mailing
I will browse the -audit archives, and subscribe if I feel I have
something to contribute. Since I haven't written any real (read:
compiled) source code since CSCE, I have a lot to learn before I can speak
on such lists.
Beside volunteer efforts (which I think are great, and I'd love to attempt
to organize... I liked the ideas others have posted so far), I wonder if
it would be useful to use some tool or 3rd-party as well? I specifically
mentioned '3rd-party' because conducting such an external audit generally
allows you to say 'our code meets the following spec(s)'. Being able to
say that may serve a meaningful purpose in certain circles. Obviously,
bugs would still exist (and old bugs may reappear over time, as pointed
out by Wietse Venema on Bugtraq recently), and reviews would still need
to happen... But I believe getting 3rd-party consensus about the
'quality' of our code at a given point in time could be quite useful to
the project. I may be off-base; It wouldn't be the first time.
It may be just as useful to use some 'industry accepted tool' (probably
something commercial, although opensource tools would work if they are
used and respected by members of our community) to do scans of the base
system. I would think that things like one-off errors would be caught by
most code review utilities. Are any of these utilities used now? Has any
thought been given to their use? Do developers and/or the core team have
general feelings about the usefulness of such utilities? If it's simply a
matter of money, I'll start a collection today.
Not to give a false impression... I don't have jewels flowing from my
pockets either. ;) However, I think of the many things I spend money
on... This would be one of the most worthwhile. I would like to invest
time as well, but while I'm coming up to speed it is easier to throw money
at the problem.
I'm glad to see interest in this endeavor -- it is just what I expected.
I'm sure anyone here has interest, it is just a matter of figuring out the
best way to proceed. We need volunteers, tools and time. My primary
concern is ensuring that the result of any work is as immediately useful
to the project and our community as possible.
-- From: "Spam Catcher" <email@example.com> To: firstname.lastname@example.org Do NOT send email to the address listed above or you will be added to a blacklist! _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "firstname.lastname@example.org"