From owner-freebsd-security@FreeBSD.ORG Wed Aug 13 19:08:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 487A837B401 for ; Wed, 13 Aug 2003 19:08:17 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id B72B343F75 for ; Wed, 13 Aug 2003 19:08:16 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 3110115256; Wed, 13 Aug 2003 19:08:16 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 2CE5E1524D for ; Wed, 13 Aug 2003 19:08:16 -0700 (PDT) Date: Wed, 13 Aug 2003 19:08:16 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: Message-ID: <20030813190151.X4965@fubar.adept.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Certification (was RE: realpath(3) et al) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2003 02:08:17 -0000 On Tue, 12 Aug 2003, Robert Watson wrote: > The real upshot of all this, btw, is that security evaluation against the > CC and related specs will have very little relationship to closing bugs > associated with realpath(), et al. A source code auditing effort, funded > or otherwise, would still be extremely useful, but the goal would have to > be a more pragmatic "fewer bugs", and not a certification "Grade A > Security" :-). firstly, i highly respect your opinions... based upon past correspondance and the work i've seen from you. i also agree with what you say here, in some sense. that is, we want fewer bugs more than certification X. however, while 'fewer bugs' is the better thing in the minds of most coders/admins... 'grade A security' is often the most prominent thing in the minds of the people with money... often the people who make the decissions. i.e. which OS gets installed on FBI and NSA computers. ;) lots of beuracracy there... so having 'certification X' could get fbsd in doors it would not otherwise be allowed to enter. that's not purely a security issue, but certianly one i'd like to consider as important. however, i fully agree this portion of the discussion can move to -advocacy. if we can agree on a given cert that's worthwhile (in some sense, like the one SuSe seems to have accquired)... who is the best person to make the case to -advocacy? i haven't been subscribed in awhile, but i guess it's time to re-subscribe. :) how hard would it be to get corporations involved? even without massive corporate support, if the issue is given enough visibility... i'd think getting smaller donations from a large number of people should not be impossible. (people do buy CDs, afterall...) -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!