Date: Tue, 11 Feb 1997 22:03:06 +1100 (EST) From: proff@suburbia.net To: dev@trifecta.com (Dev Chanchani) Cc: security@freebsd.org Subject: Re: Don't fulminate, be productive Message-ID: <19970211110307.4923.qmail@suburbia.net> In-Reply-To: <Pine.BSF.3.91.970210170144.7708E-100000@www.trifecta.com> from Dev Chanchani at "Feb 10, 97 05:02:56 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mon, 10 Feb 1997, Warner Losh wrote: > > > I'd wager that about 95% of the security problems in FreeBSD could > > solved by going over the OpenBSD cvs logs carefully and applying > > those patches. Theo and co have been very careful in their audits of > > their programs. They have, but I prefer to not examine the OpenBSD base until after auditing the FreeBSD base personally, least it give you a false sense of security. I'm not saying Theo et al haven't done a lot of work, but when doing security analysis an uncontaminated perspective is important. Also, I strongly disagree with the egrep 'strcpy|sprintf' etc approach. Line by line code-flow-review is the only way to do it. -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff@iq.org |and work, but rather teach them to long for the endless proff@gnu.ai.mit.edu |immensity of the sea. -- Antoine de Saint Exupery
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970211110307.4923.qmail>