Date: Wed, 01 Dec 1999 22:54:34 +0200 From: Mark Murray <mark@grondar.za> To: Brad Knowles <blk@skynet.be> Cc: Warner Losh <imp@village.org>, tstromberg@rtci.com, freebsd-audit@FreeBSD.ORG Subject: Re: Where to start? Heres a few overflows. Message-ID: <199912012054.WAA22838@gratis.grondar.za>
next in thread | raw e-mail | index | archive | help
> As I recall, one of the goals that OpenBSD used in their audit > process was that they fixed bugs wherever they ran across them, > regardless of whether they believed they were exploitable. This has > protected them against a number of exploits that have since become > known, since the bug that someone is trying to exploit simply no > longer exists under OpenBSD. This is very valid, and most valuable. > Do we not want to employ the same kind of methodology, or have I > missed something here? Absolutely. Any bug fises are most welcome. > Also, what about the OpenBSD approach whereby security becomes > inherently integrated into the entire development process, as opposed > to something you try to add later? As long as it is not a silly thing like adding crypto to cat(1), that is fine. > Maybe I'm missing something, but it seems to me that the entire > audit project is doomed to ultimately fail if we can't ensure that > bugs, once fixed, remain that way. If we can train the committer-base on what to do (some style(9)-type debates come to mind), then we should be able to maintain it indefinitely. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199912012054.WAA22838>