From owner-freebsd-audit Thu Dec 14 16:15:14 2000 From owner-freebsd-audit@FreeBSD.ORG Thu Dec 14 16:15:12 2000 Return-Path: Delivered-To: freebsd-audit@freebsd.org Received: from puck.firepipe.net (poynting.physics.purdue.edu [128.210.146.58]) by hub.freebsd.org (Postfix) with ESMTP id 11B5D37B404; Thu, 14 Dec 2000 16:15:12 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id 5B6341924; Thu, 14 Dec 2000 19:15:11 -0500 (EST) Date: Thu, 14 Dec 2000 19:15:11 -0500 From: Will Andrews To: security-officer@FreeBSD.org Cc: audit@FreeBSD.org Subject: audit patches need reviewing/committing Message-ID: <20001214191511.Z1873@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , security-officer@FreeBSD.org, audit@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: will@puck.firepipe.net Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear Security Officer team, For those of you on -audit, you might have noticed lately that a large number of people have been going through the FreeBSD src code and auditing it for things such as buffer overflows or improper use of APIs like mmap(), strdup(), et al. It would be nice if someone with credibility currently in the Security Officer team could step up to the plate and do some reviewing.. since not that many of us are experienced in doing this job, and so not that many of us have credibility in this area. If there's nobody who's assigned to do that, that kind of makes it pointless for non-SO people to be auditing the code, since their patches will just rot and require some merging into the tree. And if people keep auditing it but nobody looks at their diffs, who knows what mistakes might propagate in the diffs and need to be fixed? So, I guess my question is this: is auditing a priority of the SO team at all? If so, someone should be appointed to the team that can be relied on for proper reviews/commits & such, or someone should be picked from the current time to perform this "duty". :-) I don't feel safe (and I am sure many other committers) committing my auditing diffs because I have no idea if there's any problems with them. If someone who had credibility could review them.. that'd be excellent. I know that if I had credibility I'd review and commit patches to take the load off the SO team. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message