Date: Mon, 11 Aug 2003 16:14:52 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: security@freebsd.org Subject: Re: realpath(3) et al Message-ID: <20030811160014.B60109@fubar.adept.org> In-Reply-To: <20030811223323.GA43868@rot13.obsecurity.org> References: <20030811133749.U27196@fubar.adept.org> <20030811223323.GA43868@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Aug 2003, Kris Kennaway wrote: > Help with auditing is always welcomed. See the freebsd-audit mailing > list. Thanks, Kris... I will browse the -audit archives, and subscribe if I feel I have something to contribute. Since I haven't written any real (read: compiled) source code since CSCE, I have a lot to learn before I can speak on such lists. Beside volunteer efforts (which I think are great, and I'd love to attempt to organize... I liked the ideas others have posted so far), I wonder if it would be useful to use some tool or 3rd-party as well? I specifically mentioned '3rd-party' because conducting such an external audit generally allows you to say 'our code meets the following spec(s)'. Being able to say that may serve a meaningful purpose in certain circles. Obviously, bugs would still exist (and old bugs may reappear over time, as pointed out by Wietse Venema on Bugtraq recently), and reviews would still need to happen... But I believe getting 3rd-party consensus about the 'quality' of our code at a given point in time could be quite useful to the project. I may be off-base; It wouldn't be the first time. It may be just as useful to use some 'industry accepted tool' (probably something commercial, although opensource tools would work if they are used and respected by members of our community) to do scans of the base system. I would think that things like one-off errors would be caught by most code review utilities. Are any of these utilities used now? Has any thought been given to their use? Do developers and/or the core team have general feelings about the usefulness of such utilities? If it's simply a matter of money, I'll start a collection today. Not to give a false impression... I don't have jewels flowing from my pockets either. ;) However, I think of the many things I spend money on... This would be one of the most worthwhile. I would like to invest time as well, but while I'm coming up to speed it is easier to throw money at the problem. I'm glad to see interest in this endeavor -- it is just what I expected. I'm sure anyone here has interest, it is just a matter of figuring out the best way to proceed. We need volunteers, tools and time. My primary concern is ensuring that the result of any work is as immediately useful to the project and our community as possible. -mrh -- From: "Spam Catcher" <spam-catcher@adept.org> To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030811160014.B60109>