RE: realpath(3) et al

From: Devon H. O'Dell (dodell_at_sitetronics.com)
Date: 08/12/03

  • Next message: Simon L. Nielsen: "Re: realpath(3) et al"
    To: <security@freebsd.org>
    Date: Tue, 12 Aug 2003 10:24:16 +0200
    
    

    I was reading an article on Slashdot recently about Linux just getting some
    sort of security certification and asked the question "What about FreeBSD?"
    I got the standard BSD trolls, but my comment was actually modded up to a 3,
    Interesting, I believe.

    What sorts of security standards commissions are there, how much does
    getting "standards certified" cost, and where should we start?

    I'm all for getting a website up to give out information on what we're
    trying to do and possibly collect donations, take comments, and set up
    discussions. I do have the time, resources, space and FreeBSD box ;) to set
    this up.

    I'd like to get started with this ASAP; any other ideas?

    Kind regards,

    Devon H. O'Dell
    Systems and Network Engineer
    Simpli, Inc. Web Hosting
    http://www.simpli.biz

    > -----Oorspronkelijk bericht-----
    > Van: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-
    > security@freebsd.org] Namens fbsd@w88trigger.com
    > Verzonden: Tuesday, August 12, 2003 3:32 AM
    > Aan: security@freebsd.org
    > Onderwerp: Re: realpath(3) et al
    >
    > Organizing a review of the FreeBSD code base will be a tedious,
    > yet highly valuable endeavor. I have little spare time or
    > money, but I would be willing to contribute what I can for such
    > a worthy cause. I suspect that there are many others who feel
    > this way, and therefore it may be feasible for the 3rd party
    > conducting the review to be made up almost entirely of
    > volunteers. I guess the big issue is how to get the process
    > started.
    >
    > Need person(s) to organize reviews:
    > It seems like a first step should be to find someone who can
    > organize audits/reviews of the code base, and organize groups of
    > reviewers. Bodies of code could then be assigned to individual
    > volunteers or groups for review within some time frame. Results
    > would be collected and organized and code fixes made and
    > applied. No matter how the project is managed, I think the
    > first action must be to identify some volunteers to run the code
    > review project.
    >
    > Just an Idea:
    > Perhaps such reviews could take the form of bug-hunting contests,
    > where those who discover software defects or vulnerabilities are
    > awarded some form of recognition (i.e., named on FreeBSD
    > website), and/or some prize or trophy. This could actually be a
    > really fun activity if presented in the right way. Conducting
    > reviews in this manner may help attract more interest and reduce
    > or eliminate any need to hire a professional organization to
    > perform reviews. Of course there would have to be some rules
    > like, people cannot review code they had any part in authoring.
    >
    > Any way to get organized reviews done will be a great benefit to
    > the FreeBSD code base. I just want to see it happen and to help
    > where I can.
    >
    > --ajg
    >
    >
    > On Monday 11 August 2003 14:08, Mike Hoskins wrote:
    > > First, I hope that this message is not considered flame bait.
    > > As someone who has used FreeBSD for for 5+ years now, I have a
    > > genuine interest in the integrity of our source code.
    > >
    > > Second, I hope that this message is not taken as any form of
    > > insult or finger pointing. Software without bugs does not
    > > exist, and I think we all know that. Acknowledging that point
    > > and working to mitigate the risks associated with it would
    > > seem to be our only real option.
    > >
    > > That said, every time something like the recent realpath(3)
    > > issue comes to light, I find myself asking why I haven't at
    > > least tried to do more to review our source code or (more
    > > desirable) enable 3rd-party audits.
    > >
    > > My question is... If enabling a 3rd-party audit for some
    > > target release (5.3+ I'd assume) is desirable, what would be
    > > needed money-, time- and other-wise? I'm willing to invest
    > > both time and money to make this happen. I'd expect such an
    > > endeavor to be tedious and expensive... and, of course, it
    > > would really need to be repeated occasionally to be of real
    > > value. (Probably, at least, after major version number
    > > changes.) However, perhaps doing an audit of the base system
    > > now would help our image in the security community?
    > >
    > > All I know is, despite occasional arguments and rants, I like
    > > FreeBSD. As long as it exists, I plan to have it installed...
    > > So it is in my best interest to help in any way I can. I know
    > > projects like secure/trustedBSD exist, but I am really looking
    > > for ways to promote the trust of the base system more than
    > > specialized projects/branches.
    > >
    > > Thoughts?
    > >
    > > -mrh
    > >
    > > --
    > > From: "Spam Catcher" <spam-catcher@adept.org>
    > > To: spam-catcher@adept.org
    > > Do NOT send email to the address listed above or
    > > you will be added to a blacklist!
    > > _______________________________________________
    > > freebsd-security@freebsd.org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > > To unsubscribe, send any mail to
    > > "freebsd-security-unsubscribe@freebsd.org"
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to "freebsd-security-
    > unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Simon L. Nielsen: "Re: realpath(3) et al"