RE: realpath(3) et al
From: Devon H. O'Dell (dodell_at_sitetronics.com)
To: <email@example.com> Date: Tue, 12 Aug 2003 10:24:16 +0200
I was reading an article on Slashdot recently about Linux just getting some
sort of security certification and asked the question "What about FreeBSD?"
I got the standard BSD trolls, but my comment was actually modded up to a 3,
Interesting, I believe.
What sorts of security standards commissions are there, how much does
getting "standards certified" cost, and where should we start?
I'm all for getting a website up to give out information on what we're
trying to do and possibly collect donations, take comments, and set up
discussions. I do have the time, resources, space and FreeBSD box ;) to set
I'd like to get started with this ASAP; any other ideas?
Devon H. O'Dell
Systems and Network Engineer
Simpli, Inc. Web Hosting
> -----Oorspronkelijk bericht-----
> Van: firstname.lastname@example.org [mailto:owner-freebsd-
> email@example.com] Namens firstname.lastname@example.org
> Verzonden: Tuesday, August 12, 2003 3:32 AM
> Aan: email@example.com
> Onderwerp: Re: realpath(3) et al
> Organizing a review of the FreeBSD code base will be a tedious,
> yet highly valuable endeavor. I have little spare time or
> money, but I would be willing to contribute what I can for such
> a worthy cause. I suspect that there are many others who feel
> this way, and therefore it may be feasible for the 3rd party
> conducting the review to be made up almost entirely of
> volunteers. I guess the big issue is how to get the process
> Need person(s) to organize reviews:
> It seems like a first step should be to find someone who can
> organize audits/reviews of the code base, and organize groups of
> reviewers. Bodies of code could then be assigned to individual
> volunteers or groups for review within some time frame. Results
> would be collected and organized and code fixes made and
> applied. No matter how the project is managed, I think the
> first action must be to identify some volunteers to run the code
> review project.
> Just an Idea:
> Perhaps such reviews could take the form of bug-hunting contests,
> where those who discover software defects or vulnerabilities are
> awarded some form of recognition (i.e., named on FreeBSD
> website), and/or some prize or trophy. This could actually be a
> really fun activity if presented in the right way. Conducting
> reviews in this manner may help attract more interest and reduce
> or eliminate any need to hire a professional organization to
> perform reviews. Of course there would have to be some rules
> like, people cannot review code they had any part in authoring.
> Any way to get organized reviews done will be a great benefit to
> the FreeBSD code base. I just want to see it happen and to help
> where I can.
> On Monday 11 August 2003 14:08, Mike Hoskins wrote:
> > First, I hope that this message is not considered flame bait.
> > As someone who has used FreeBSD for for 5+ years now, I have a
> > genuine interest in the integrity of our source code.
> > Second, I hope that this message is not taken as any form of
> > insult or finger pointing. Software without bugs does not
> > exist, and I think we all know that. Acknowledging that point
> > and working to mitigate the risks associated with it would
> > seem to be our only real option.
> > That said, every time something like the recent realpath(3)
> > issue comes to light, I find myself asking why I haven't at
> > least tried to do more to review our source code or (more
> > desirable) enable 3rd-party audits.
> > My question is... If enabling a 3rd-party audit for some
> > target release (5.3+ I'd assume) is desirable, what would be
> > needed money-, time- and other-wise? I'm willing to invest
> > both time and money to make this happen. I'd expect such an
> > endeavor to be tedious and expensive... and, of course, it
> > would really need to be repeated occasionally to be of real
> > value. (Probably, at least, after major version number
> > changes.) However, perhaps doing an audit of the base system
> > now would help our image in the security community?
> > All I know is, despite occasional arguments and rants, I like
> > FreeBSD. As long as it exists, I plan to have it installed...
> > So it is in my best interest to help in any way I can. I know
> > projects like secure/trustedBSD exist, but I am really looking
> > for ways to promote the trust of the base system more than
> > specialized projects/branches.
> > Thoughts?
> > -mrh
> > --
> > From: "Spam Catcher" <firstname.lastname@example.org>
> > To: email@example.com
> > Do NOT send email to the address listed above or
> > you will be added to a blacklist!
> > _______________________________________________
> > firstname.lastname@example.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-security
> > To unsubscribe, send any mail to
> > "email@example.com"
> firstname.lastname@example.org mailing list
> To unsubscribe, send any mail to "freebsd-security-
email@example.com mailing list
To unsubscribe, send any mail to "firstname.lastname@example.org"