From owner-freebsd-arch  Fri Jul 27 10:20:41 2001
Delivered-To: freebsd-arch@freebsd.org
Received: from dragon.nuxi.com (trang.nuxi.com [206.40.252.115])
	by hub.freebsd.org (Postfix) with ESMTP id 582D137B406
	for <arch@FreeBSD.ORG>; Fri, 27 Jul 2001 10:20:33 -0700 (PDT)
	(envelope-from obrien@NUXI.com)
Received: (from obrien@localhost)
	by dragon.nuxi.com (8.11.3/8.11.1) id f6RHJxQ44354;
	Fri, 27 Jul 2001 10:19:59 -0700 (PDT)
	(envelope-from obrien)
Date: Fri, 27 Jul 2001 10:19:54 -0700
From: "David O'Brien" <obrien@FreeBSD.ORG>
To: Kris Kennaway <kris@obsecurity.org>
Cc: Mike Heffner <mheffner@vt.edu>, arch@FreeBSD.ORG
Subject: Re: Importing lukemftpd
Message-ID: <20010727101954.C43542@dragon.nuxi.com>
Reply-To: obrien@FreeBSD.ORG
References: <XFMail.20010716212454.mheffner@novacoxmail.com> <20010717103604.B79329@xor.obsecurity.org> <20010719112221.A84356@dragon.nuxi.com> <20010719123015.A44746@xor.obsecurity.org> <20010719203700.B94074@dragon.nuxi.com> <20010719210332.A78418@xor.obsecurity.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010719210332.A78418@xor.obsecurity.org>; from kris@obsecurity.org on Thu, Jul 19, 2001 at 09:03:33PM -0700
X-Operating-System: FreeBSD 5.0-CURRENT
Organization: The NUXI BSD group
X-Pgp-Rsa-Fingerprint: B7 4D 3E E9 11 39 5F A3  90 76 5D 69 58 D9 98 7A
X-Pgp-Rsa-Keyid: 1024/34F9F9D5
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

On Thu, Jul 19, 2001 at 09:03:33PM -0700, Kris Kennaway wrote:
> You and John are being paid to work full-time on FreeBSD, and the
> projects you mentioned are projects you do during your >8 hours a day
> of paid FreeBSD hacking time.  If you were working on these in your
> own time, say from 10pm at night after a hard day at work,

When we work >8 hours a day, we *are* working on XYZ in our own time. :-)


> Auditing of a non-trivial application is time-consuming and difficult.
> The kinds of bugs I expect might be found in something like ftpd are
> not the trivial ones involving misuse of sprintf(),

It would still be nice to see even this type/level of auditing of LukeM
ftpd.

> but the deeply
> embedded ones which rely on interactions between several different
> parts of the code.  That requires someone to sit down for a week and
> really become intimate with the code, which isn't something that most
> people can do in their spare time for an hour or two here and there
> (which is why no-one's done this so far).

Who do you trust to do this review?  Me?  Anybody?  Only members of the
S.O. team?  Any of the typical contributors to -audit?  Surely given your
stance on this issue, just anyone coming forward saying they've
"audited" the code will appease you.

-- 
-- David  (obrien@FreeBSD.org)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message