From owner-freebsd-security@FreeBSD.ORG Tue Aug 12 05:59:43 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C45137B401; Tue, 12 Aug 2003 05:59:43 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B20A43F85; Tue, 12 Aug 2003 05:59:41 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h7CCxWPW080982; Tue, 12 Aug 2003 16:59:32 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id PQJDY1Q2; Tue, 12 Aug 2003 16:59:32 +0400 Date: Tue, 12 Aug 2003 17:00:00 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <159327446162.20030812170000@internethelp.ru> To: "Jacques A. Vidrine" In-reply-To: <20030811232132.GB46629@madman.celabo.org> References: <20030811133749.U27196@fubar.adept.org> <20030811232132.GB46629@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re[2]: realpath(3) et al X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Aug 2003 12:59:43 -0000 Hello Jacques, Tuesday, August 12, 2003, 3:21:32 AM, you wrote: >> My question is... If enabling a 3rd-party audit for some target release >> (5.3+ I'd assume) is desirable, what would be needed money-, time- and >> other-wise? JAV> People need to read code, that's all. You can share your code reading JAV> insights at freebsd-audit@freebsd.org, or if you believe it is JAV> sensitive, with security-team@freebsd.org. JAV> We _do_ already audit code, you know. FreeBSD-SA-03:09.signal was a JAV> result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's JAV> auditing. Also, many commits that are just `cleanup' are the result JAV> of a kind of `auditing'. JAV> What we perhaps lack is coordination. This is not easy in a volunteer JAV> environment, but perhaps something as simple as a `scoreboard' with JAV> `these files being audited/have been audited by whatsmyname' would be JAV> an improvement. On the other hand, in my experience, people are quick JAV> to volunteer and slow to follow up --- usually disappearing. :-( Of JAV> course, those that do follow up often become committers themselves :-) Some time ago I have seen problem reports database on FreeBSD's website. Why don't use it for audit tracking? You can add 'audit' class, or maybe some 'audit-*' categories? Did you thought about this? ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru