Date: Thu, 14 Dec 2000 19:15:11 -0500 From: Will Andrews <will@physics.purdue.edu> To: security-officer@FreeBSD.org Cc: audit@FreeBSD.org Subject: audit patches need reviewing/committing Message-ID: <20001214191511.Z1873@puck.firepipe.net>
next in thread | raw e-mail | index | archive | help
Dear Security Officer team, For those of you on -audit, you might have noticed lately that a large number of people have been going through the FreeBSD src code and auditing it for things such as buffer overflows or improper use of APIs like mmap(), strdup(), et al. It would be nice if someone with credibility currently in the Security Officer team could step up to the plate and do some reviewing.. since not that many of us are experienced in doing this job, and so not that many of us have credibility in this area. If there's nobody who's assigned to do that, that kind of makes it pointless for non-SO people to be auditing the code, since their patches will just rot and require some merging into the tree. And if people keep auditing it but nobody looks at their diffs, who knows what mistakes might propagate in the diffs and need to be fixed? So, I guess my question is this: is auditing a priority of the SO team at all? If so, someone should be appointed to the team that can be relied on for proper reviews/commits & such, or someone should be picked from the current time to perform this "duty". :-) I don't feel safe (and I am sure many other committers) committing my auditing diffs because I have no idea if there's any problems with them. If someone who had credibility could review them.. that'd be excellent. I know that if I had credibility I'd review and commit patches to take the load off the SO team. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001214191511.Z1873>