Date: Mon, 11 Aug 2003 18:31:39 -0700 From: fbsd@w88trigger.com To: security@freebsd.org Subject: Re: realpath(3) et al Message-ID: <200308111831.39910.fbsd@w88trigger.com> In-Reply-To: <20030811133749.U27196@fubar.adept.org> References: <20030811133749.U27196@fubar.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Organizing a review of the FreeBSD code base will be a tedious, yet highly valuable endeavor. I have little spare time or money, but I would be willing to contribute what I can for such a worthy cause. I suspect that there are many others who feel this way, and therefore it may be feasible for the 3rd party conducting the review to be made up almost entirely of volunteers. I guess the big issue is how to get the process started. Need person(s) to organize reviews: It seems like a first step should be to find someone who can organize audits/reviews of the code base, and organize groups of reviewers. Bodies of code could then be assigned to individual volunteers or groups for review within some time frame. Results would be collected and organized and code fixes made and applied. No matter how the project is managed, I think the first action must be to identify some volunteers to run the code review project. Just an Idea: Perhaps such reviews could take the form of bug-hunting contests, where those who discover software defects or vulnerabilities are awarded some form of recognition (i.e., named on FreeBSD website), and/or some prize or trophy. This could actually be a really fun activity if presented in the right way. Conducting reviews in this manner may help attract more interest and reduce or eliminate any need to hire a professional organization to perform reviews. Of course there would have to be some rules like, people cannot review code they had any part in authoring. Any way to get organized reviews done will be a great benefit to the FreeBSD code base. I just want to see it happen and to help where I can. --ajg On Monday 11 August 2003 14:08, Mike Hoskins wrote: > First, I hope that this message is not considered flame bait. > As someone who has used FreeBSD for for 5+ years now, I have a > genuine interest in the integrity of our source code. > > Second, I hope that this message is not taken as any form of > insult or finger pointing. Software without bugs does not > exist, and I think we all know that. Acknowledging that point > and working to mitigate the risks associated with it would > seem to be our only real option. > > That said, every time something like the recent realpath(3) > issue comes to light, I find myself asking why I haven't at > least tried to do more to review our source code or (more > desirable) enable 3rd-party audits. > > My question is... If enabling a 3rd-party audit for some > target release (5.3+ I'd assume) is desirable, what would be > needed money-, time- and other-wise? I'm willing to invest > both time and money to make this happen. I'd expect such an > endeavor to be tedious and expensive... and, of course, it > would really need to be repeated occasionally to be of real > value. (Probably, at least, after major version number > changes.) However, perhaps doing an audit of the base system > now would help our image in the security community? > > All I know is, despite occasional arguments and rants, I like > FreeBSD. As long as it exists, I plan to have it installed... > So it is in my best interest to help in any way I can. I know > projects like secure/trustedBSD exist, but I am really looking > for ways to promote the trust of the base system more than > specialized projects/branches. > > Thoughts? > > -mrh > > -- > From: "Spam Catcher" <spam-catcher@adept.org> > To: spam-catcher@adept.org > Do NOT send email to the address listed above or > you will be added to a blacklist! > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200308111831.39910.fbsd>