RE: realpath(3) et al

From: Devon H. O'Dell (dodell_at_sitetronics.com)
Date: 08/12/03

  • Next message: Simon L. Nielsen: "Re: realpath(3) et al"
    To: <security@freebsd.org>
    Date: Tue, 12 Aug 2003 10:24:16 +0200
    
    

    I was reading an article on Slashdot recently about Linux just getting some
    sort of security certification and asked the question "What about FreeBSD?"
    I got the standard BSD trolls, but my comment was actually modded up to a 3,
    Interesting, I believe.

    What sorts of security standards commissions are there, how much does
    getting "standards certified" cost, and where should we start?

    I'm all for getting a website up to give out information on what we're
    trying to do and possibly collect donations, take comments, and set up
    discussions. I do have the time, resources, space and FreeBSD box ;) to set
    this up.

    I'd like to get started with this ASAP; any other ideas?

    Kind regards,

    Devon H. O'Dell
    Systems and Network Engineer
    Simpli, Inc. Web Hosting
    http://www.simpli.biz

    > -----Oorspronkelijk bericht-----
    > Van: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-
    > security@freebsd.org] Namens fbsd@w88trigger.com
    > Verzonden: Tuesday, August 12, 2003 3:32 AM
    > Aan: security@freebsd.org
    > Onderwerp: Re: realpath(3) et al
    >
    > Organizing a review of the FreeBSD code base will be a tedious,
    > yet highly valuable endeavor. I have little spare time or
    > money, but I would be willing to contribute what I can for such
    > a worthy cause. I suspect that there are many others who feel
    > this way, and therefore it may be feasible for the 3rd party
    > conducting the review to be made up almost entirely of
    > volunteers. I guess the big issue is how to get the process
    > started.
    >
    > Need person(s) to organize reviews:
    > It seems like a first step should be to find someone who can
    > organize audits/reviews of the code base, and organize groups of
    > reviewers. Bodies of code could then be assigned to individual
    > volunteers or groups for review within some time frame. Results
    > would be collected and organized and code fixes made and
    > applied. No matter how the project is managed, I think the
    > first action must be to identify some volunteers to run the code
    > review project.
    >
    > Just an Idea:
    > Perhaps such reviews could take the form of bug-hunting contests,
    > where those who discover software defects or vulnerabilities are
    > awarded some form of recognition (i.e., named on FreeBSD
    > website), and/or some prize or trophy. This could actually be a
    > really fun activity if presented in the right way. Conducting
    > reviews in this manner may help attract more interest and reduce
    > or eliminate any need to hire a professional organization to
    > perform reviews. Of course there would have to be some rules
    > like, people cannot review code they had any part in authoring.
    >
    > Any way to get organized reviews done will be a great benefit to
    > the FreeBSD code base. I just want to see it happen and to help
    > where I can.
    >
    > --ajg
    >
    >
    > On Monday 11 August 2003 14:08, Mike Hoskins wrote:
    > > First, I hope that this message is not considered flame bait.
    > > As someone who has used FreeBSD for for 5+ years now, I have a
    > > genuine interest in the integrity of our source code.
    > >
    > > Second, I hope that this message is not taken as any form of
    > > insult or finger pointing. Software without bugs does not
    > > exist, and I think we all know that. Acknowledging that point
    > > and working to mitigate the risks associated with it would
    > > seem to be our only real option.
    > >
    > > That said, every time something like the recent realpath(3)
    > > issue comes to light, I find myself asking why I haven't at
    > > least tried to do more to review our source code or (more
    > > desirable) enable 3rd-party audits.
    > >
    > > My question is... If enabling a 3rd-party audit for some
    > > target release (5.3+ I'd assume) is desirable, what would be
    > > needed money-, time- and other-wise? I'm willing to invest
    > > both time and money to make this happen. I'd expect such an
    > > endeavor to be tedious and expensive... and, of course, it
    > > would really need to be repeated occasionally to be of real
    > > value. (Probably, at least, after major version number
    > > changes.) However, perhaps doing an audit of the base system
    > > now would help our image in the security community?
    > >
    > > All I know is, despite occasional arguments and rants, I like
    > > FreeBSD. As long as it exists, I plan to have it installed...
    > > So it is in my best interest to help in any way I can. I know
    > > projects like secure/trustedBSD exist, but I am really looking
    > > for ways to promote the trust of the base system more than
    > > specialized projects/branches.
    > >
    > > Thoughts?
    > >
    > > -mrh
    > >
    > > --
    > > From: "Spam Catcher" <spam-catcher@adept.org>
    > > To: spam-catcher@adept.org
    > > Do NOT send email to the address listed above or
    > > you will be added to a blacklist!
    > > _______________________________________________
    > > freebsd-security@freebsd.org mailing list
    > > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > > To unsubscribe, send any mail to
    > > "freebsd-security-unsubscribe@freebsd.org"
    >
    > _______________________________________________
    > freebsd-security@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-security
    > To unsubscribe, send any mail to "freebsd-security-
    > unsubscribe@freebsd.org"

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Simon L. Nielsen: "Re: realpath(3) et al"

    Relevant Pages

    • Re: FreeBSD NAT-T patch integration
      ... IPsec is about security and not features. ... mostly evenings and weekends that I can spend on FreeBSD. ... People ask about review. ...
      (freebsd-net)
    • Re: Request for comments
      ... >> comments from FreeBSD committers and contributors regarding development ... > write a review, the review is based on the reviewers experiance. ...
      (freebsd-questions)
    • Re: Anyone try the X.org port?
      ... >>Before I invest several hours downloading source code over my dialup ... >>FreeBSD? ... Has anyone seen a link to a good review of the differences ... >>ports tree, ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Future of FreeBSD 7.0 and up
      ... My name is Dwight Smith, and I only had a question or two in terms of the future useability of FreeBSD. ... I guess my question is that will the ease of building or installing software for FreeBSD ever streamline to where you do not have to do as many steps and text config file entries? ... What had me curious to asking this is this article I read about a review on FreeBSD 6.2 The reviewer had a lot of criticisms that seemed harsh, but at the same time raised some valid points. ... I only ask this question as I would like to see FreeBSD get the same recognition as Linux as FreeBSD is a powerful OS that should not be overshadowed and I hope it doesn't cause it saved my IT job many a times when a server crashes and I have to piece together an old PII with 32 MB RAM and install FreeBSD with Samba. ...
      (freebsd-questions)
    • Re: [Full-disclosure] [Professional IT Security Providers -Exposed] PlanNetGroup ( F )
      ... [Professional IT Security Providers -Exposed] PlanNetGroup ... > the review a second time and incorporate some of your suggestions. ... A little professionalism would go a long way to ...
      (Full-Disclosure)