Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 11 Aug 2003 16:34:40 -0700 (PDT)
From:      Mike Hoskins <mike@adept.org>
To:        security@freebsd.org
Subject:   Re: realpath(3) et al
Message-ID:  <20030811162602.N72549@fubar.adept.org>
In-Reply-To: <20030811232132.GB46629@madman.celabo.org>
References:  <20030811133749.U27196@fubar.adept.org> <20030811232132.GB46629@madman.celabo.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 11 Aug 2003, Jacques A. Vidrine wrote:
> More people should ask themselves that :-)  One can talk about auditing
> code, or one can do it.

Point taken.  ;)

> Even in projects where careful auditing has been the primary focus,
> things get missed.  For example, OpenBSD missed this exact same bug
> and corrected it about the same time as everyone else.

I agree, and I find the OBSD bit interesting...  Since members of 'their
community' often seem to point fingers in certain forums at other
distributions for 'not being proactive'.  I think we all try to do the
best job we can, and I'd often like to be able to tell those types to get
off their high horse.  :/

> We _do_ already audit code, you know.  FreeBSD-SA-03:09.signal was a
> result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's
> auditing.  Also, many commits that are just `cleanup' are the result
> of a kind of `auditing'.

I suspected as much, but I wasn't aware of specifics.

> What we perhaps lack is coordination.  This is not easy in a volunteer
> environment, but perhaps something as simple as a `scoreboard' with
> `these files being audited/have been audited by whatsmyname' would be
> an improvement.  On the other hand, in my experience, people are quick
> to volunteer and slow to follow up --- usually disappearing. :-(  Of
> course, those that do follow up often become committers themselves :-)

Wasn't there a page (maybe there still is...) showing sections of the base
system as 'assigned' to certain individuals, with contact info listed?  I
think it was pretty stale for awhile, but maybe something similar could be
revived and maintained.  If it already is, great!

The scroeboard idea, or any idea that makes coordination easier for
everyone, sounds spot on.  Are you aware of any open source/free
collaboration systems that provide such an interface?  Or could you
ellaborate a bit more on what you think would be most useful?

> *shrug* I didn't know we had an image problem in the security
> community.

I don't think our image is bad, I'd just like it to be better.

> Probably the single most effective way to get an audit done is to read
> the code :-)

Along those lines, I just ordered a copy of _Code Reading: The Open Source
Perspective_ on amazon.  It received mixed reviews, and I'm hoping
it's a worthy investment.  Would anyone else care to recommend books,
URLs, etc. that are useful to those interested in audting code?

-mrh

--
From: "Spam Catcher" <spam-catcher@adept.org>
To: spam-catcher@adept.org
Do NOT send email to the address listed above or
you will be added to a blacklist!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030811162602.N72549>