Date: Thu, 14 Dec 2000 22:21:59 -0800 From: Kris Kennaway <kris@FreeBSD.org> To: Will Andrews <will@physics.purdue.edu>, security-officer@FreeBSD.org, audit@FreeBSD.org Subject: Re: audit patches need reviewing/committing Message-ID: <20001214222159.B2040@citusc.usc.edu> In-Reply-To: <20001214191511.Z1873@puck.firepipe.net>; from will@physics.purdue.edu on Thu, Dec 14, 2000 at 07:15:11PM -0500 References: <20001214191511.Z1873@puck.firepipe.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--wq9mPyueHGvFACwf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 14, 2000 at 07:15:11PM -0500, Will Andrews wrote: > Dear Security Officer team, >=20 > For those of you on -audit, you might have noticed lately that a large > number of people have been going through the FreeBSD src code and > auditing it for things such as buffer overflows or improper use of APIs > like mmap(), strdup(), et al. >=20 > It would be nice if someone with credibility currently in the Security > Officer team could step up to the plate and do some reviewing.. since > not that many of us are experienced in doing this job, and so not that > many of us have credibility in this area. If there's nobody who's > assigned to do that, that kind of makes it pointless for non-SO people > to be auditing the code, since their patches will just rot and require > some merging into the tree. And if people keep auditing it but nobody > looks at their diffs, who knows what mistakes might propagate in the > diffs and need to be fixed? >=20 > So, I guess my question is this: is auditing a priority of the SO team > at all? If so, someone should be appointed to the team that can be > relied on for proper reviews/commits & such, or someone should be picked > from the current time to perform this "duty". :-) You raise a valid point - we need to make sure we don't lose the new-found momentum on audit, and that the older hands amongst the audit group give appropriate sign-offs on acceptable patches (or not). I wish I could be doing this myself right now, but it's difficult to even keep up with the regular security officer workload since I'm on vacation. So I'd like to echo Will's call for people to make the effort to review some of the patches posted here and to give any comments that occur, positive or negative. Kris --wq9mPyueHGvFACwf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ObiHWry0BWjoQKURAn/9AKDswiXP6p7PNCEYsWd/uYjusraKCgCfSht7 nQFsh6sT4TN8eDeQmuiH3mY= =l6KS -----END PGP SIGNATURE----- --wq9mPyueHGvFACwf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001214222159.B2040>