From owner-freebsd-security@FreeBSD.ORG Mon Aug 11 16:34:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 422CF37B401 for ; Mon, 11 Aug 2003 16:34:41 -0700 (PDT) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA08143FAF for ; Mon, 11 Aug 2003 16:34:40 -0700 (PDT) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id BDB6015256; Mon, 11 Aug 2003 16:34:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id B99151524D for ; Mon, 11 Aug 2003 16:34:40 -0700 (PDT) Date: Mon, 11 Aug 2003 16:34:40 -0700 (PDT) From: Mike Hoskins To: security@freebsd.org In-Reply-To: <20030811232132.GB46629@madman.celabo.org> Message-ID: <20030811162602.N72549@fubar.adept.org> References: <20030811133749.U27196@fubar.adept.org> <20030811232132.GB46629@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: realpath(3) et al X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 23:34:41 -0000 On Mon, 11 Aug 2003, Jacques A. Vidrine wrote: > More people should ask themselves that :-) One can talk about auditing > code, or one can do it. Point taken. ;) > Even in projects where careful auditing has been the primary focus, > things get missed. For example, OpenBSD missed this exact same bug > and corrected it about the same time as everyone else. I agree, and I find the OBSD bit interesting... Since members of 'their community' often seem to point fingers in certain forums at other distributions for 'not being proactive'. I think we all try to do the best job we can, and I'd often like to be able to tell those types to get off their high horse. :/ > We _do_ already audit code, you know. FreeBSD-SA-03:09.signal was a > result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's > auditing. Also, many commits that are just `cleanup' are the result > of a kind of `auditing'. I suspected as much, but I wasn't aware of specifics. > What we perhaps lack is coordination. This is not easy in a volunteer > environment, but perhaps something as simple as a `scoreboard' with > `these files being audited/have been audited by whatsmyname' would be > an improvement. On the other hand, in my experience, people are quick > to volunteer and slow to follow up --- usually disappearing. :-( Of > course, those that do follow up often become committers themselves :-) Wasn't there a page (maybe there still is...) showing sections of the base system as 'assigned' to certain individuals, with contact info listed? I think it was pretty stale for awhile, but maybe something similar could be revived and maintained. If it already is, great! The scroeboard idea, or any idea that makes coordination easier for everyone, sounds spot on. Are you aware of any open source/free collaboration systems that provide such an interface? Or could you ellaborate a bit more on what you think would be most useful? > *shrug* I didn't know we had an image problem in the security > community. I don't think our image is bad, I'd just like it to be better. > Probably the single most effective way to get an audit done is to read > the code :-) Along those lines, I just ordered a copy of _Code Reading: The Open Source Perspective_ on amazon. It received mixed reviews, and I'm hoping it's a worthy investment. Would anyone else care to recommend books, URLs, etc. that are useful to those interested in audting code? -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!