Re: realpath(3) et al

From: Mike Hoskins (mike_at_adept.org)
Date: 08/12/03

  • Next message: fbsd_at_w88trigger.com: "Re: realpath(3) et al"
    Date: Mon, 11 Aug 2003 16:34:40 -0700 (PDT)
    To: security@freebsd.org
    
    

    On Mon, 11 Aug 2003, Jacques A. Vidrine wrote:
    > More people should ask themselves that :-) One can talk about auditing
    > code, or one can do it.

    Point taken. ;)

    > Even in projects where careful auditing has been the primary focus,
    > things get missed. For example, OpenBSD missed this exact same bug
    > and corrected it about the same time as everyone else.

    I agree, and I find the OBSD bit interesting... Since members of 'their
    community' often seem to point fingers in certain forums at other
    distributions for 'not being proactive'. I think we all try to do the
    best job we can, and I'd often like to be able to tell those types to get
    off their high horse. :/

    > We _do_ already audit code, you know. FreeBSD-SA-03:09.signal was a
    > result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's
    > auditing. Also, many commits that are just `cleanup' are the result
    > of a kind of `auditing'.

    I suspected as much, but I wasn't aware of specifics.

    > What we perhaps lack is coordination. This is not easy in a volunteer
    > environment, but perhaps something as simple as a `scoreboard' with
    > `these files being audited/have been audited by whatsmyname' would be
    > an improvement. On the other hand, in my experience, people are quick
    > to volunteer and slow to follow up --- usually disappearing. :-( Of
    > course, those that do follow up often become committers themselves :-)

    Wasn't there a page (maybe there still is...) showing sections of the base
    system as 'assigned' to certain individuals, with contact info listed? I
    think it was pretty stale for awhile, but maybe something similar could be
    revived and maintained. If it already is, great!

    The scroeboard idea, or any idea that makes coordination easier for
    everyone, sounds spot on. Are you aware of any open source/free
    collaboration systems that provide such an interface? Or could you
    ellaborate a bit more on what you think would be most useful?

    > *shrug* I didn't know we had an image problem in the security
    > community.

    I don't think our image is bad, I'd just like it to be better.

    > Probably the single most effective way to get an audit done is to read
    > the code :-)

    Along those lines, I just ordered a copy of _Code Reading: The Open Source
    Perspective_ on amazon. It received mixed reviews, and I'm hoping
    it's a worthy investment. Would anyone else care to recommend books,
    URLs, etc. that are useful to those interested in audting code?

    -mrh

    --
    From: "Spam Catcher" <spam-catcher@adept.org>
    To: spam-catcher@adept.org
    Do NOT send email to the address listed above or
    you will be added to a blacklist!
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: fbsd_at_w88trigger.com: "Re: realpath(3) et al"