Date: Wed, 13 Aug 2003 19:08:16 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: security@freebsd.org Subject: Re: Certification (was RE: realpath(3) et al) Message-ID: <20030813190151.X4965@fubar.adept.org> In-Reply-To: <Pine.NEB.3.96L.1030812233402.71381B-100000@fledge.watson.org> References: <Pine.NEB.3.96L.1030812233402.71381B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 12 Aug 2003, Robert Watson wrote: > The real upshot of all this, btw, is that security evaluation against the > CC and related specs will have very little relationship to closing bugs > associated with realpath(), et al. A source code auditing effort, funded > or otherwise, would still be extremely useful, but the goal would have to > be a more pragmatic "fewer bugs", and not a certification "Grade A > Security" :-). firstly, i highly respect your opinions... based upon past correspondance and the work i've seen from you. i also agree with what you say here, in some sense. that is, we want fewer bugs more than certification X. however, while 'fewer bugs' is the better thing in the minds of most coders/admins... 'grade A security' is often the most prominent thing in the minds of the people with money... often the people who make the decissions. i.e. which OS gets installed on FBI and NSA computers. ;) lots of beuracracy there... so having 'certification X' could get fbsd in doors it would not otherwise be allowed to enter. that's not purely a security issue, but certianly one i'd like to consider as important. however, i fully agree this portion of the discussion can move to -advocacy. if we can agree on a given cert that's worthwhile (in some sense, like the one SuSe seems to have accquired)... who is the best person to make the case to -advocacy? i haven't been subscribed in awhile, but i guess it's time to re-subscribe. :) how hard would it be to get corporations involved? even without massive corporate support, if the issue is given enough visibility... i'd think getting smaller donations from a large number of people should not be impossible. (people do buy CDs, afterall...) -mrh -- From: "Spam Catcher" <spam-catcher@adept.org> To: spam-catcher@adept.org Do NOT send email to the address listed above or you will be added to a blacklist!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030813190151.X4965>