I'm replying to this, since nobody else has.
Quoting "Dafoe, Tim (MBS)" <Tim.Dafoe@xxxxxxxxxxxxx>:
> I'm looking
> for information regarding proactive efforts (such as those I've seen in
> other OSS groups) in
> the Debian project for vulnerability detection, code audit, etc. --
> including how your auditing
> team conducts the work (i.e. module by module, according to a schedule, or
> through some
> other means) and the frequency of reviews.
We're kind of unorganized, so we don't have any schedules or anything. We've
been working on setuid and setgid programs a lot, and we've improved the
situation with such programs in Debian GNU/Linux a lot IMHO. We've also audited
a bunch of network related programs, and we've done some work on automated
auditing scripts and programs that interface to several auditing programs at
once.
We have about 4 people regularly auditing programs, some of whom also work on
other things like programming the earlier mentioned software.
If we could start co-operating more instead of me sitting at home doing stuff
and Steve and Max et al sitting at home doing stuff without much discussion or
co-operation, we could really have an interesting Project.
--
Ulf Harnhammar
http://www.advogato.org/person/metaur/
|
