On Mon, Jun 13, 2005 at 11:44:24PM +0200, Ulf Harnhammar wrote:
> Do you think we should set any specific goals for the
> Debian Security Audit Project to achieve before Etch is
> released? Our work so far has shown that we don't need
> goals, but perhaps we can achieve even more if we set
> some goals (at least #X DSA's published before Etch,
> comprehensive audits of syslog() bugs or PHP include()
> bugs in lots of packages, other goals?).
Apart from your other suggestions I'm thinking of
making a small list of classes of packages which
can be done from start to finish.
I like the idea of covering PHP code, and I think
that another obvious `class` of packages is apache
modules. I've mostly covered the core apache2
modules already, and not found anything which
you can trigger without access to the configuration
file (ie. root access).
But there are a fair number of other modules which
could be examined too.
Steve
--
|
