Date: Tue, 12 Aug 2003 17:00:00 +0400 From: "Nickolay A. Kritsky" <nkritsky@internethelp.ru> To: "Jacques A. Vidrine" <nectar@freebsd.org> Cc: security@freebsd.org Subject: Re[2]: realpath(3) et al Message-ID: <159327446162.20030812170000@internethelp.ru> In-Reply-To: <20030811232132.GB46629@madman.celabo.org> References: <20030811133749.U27196@fubar.adept.org> <20030811232132.GB46629@madman.celabo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Jacques, Tuesday, August 12, 2003, 3:21:32 AM, you wrote: >> My question is... If enabling a 3rd-party audit for some target release >> (5.3+ I'd assume) is desirable, what would be needed money-, time- and >> other-wise? JAV> People need to read code, that's all. You can share your code reading JAV> insights at freebsd-audit@freebsd.org, or if you believe it is JAV> sensitive, with security-team@freebsd.org. JAV> We _do_ already audit code, you know. FreeBSD-SA-03:09.signal was a JAV> result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's JAV> auditing. Also, many commits that are just `cleanup' are the result JAV> of a kind of `auditing'. JAV> What we perhaps lack is coordination. This is not easy in a volunteer JAV> environment, but perhaps something as simple as a `scoreboard' with JAV> `these files being audited/have been audited by whatsmyname' would be JAV> an improvement. On the other hand, in my experience, people are quick JAV> to volunteer and slow to follow up --- usually disappearing. :-( Of JAV> course, those that do follow up often become committers themselves :-) Some time ago I have seen problem reports database on FreeBSD's website. Why don't use it for audit tracking? You can add 'audit' class, or maybe some 'audit-*' categories? Did you thought about this? ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?159327446162.20030812170000>