On Thu, Apr 06, 2006 at 01:55:11AM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> I have finished writting the paper for the security workshop I proposed for
> Debconf6: "Weeding out security bugs". I would *really* appreciate if
> somebody could read it and comment on it, you can find it here:
> http://people.debian.org/~jfs/debconf6/#security
I've just been re-reading old mails and remembered this one, so
apologies for a late reply.
For some reason gpdf wasn't happy with the PDF version so I
read the lyx file.
I loved the introduction, and thought the complete paper was
nicely written.
There were a couple of sentences which stood out as being
worded clumsily, but they were little things like this:
"It has been direct responsible" should be "directly".
"makes it inevitable to have a large number of security bugs in it."
might be better as "makes it inevitable that a large number of
unfound security issues are present in each release".
I'll give a comple diff later if that is useful, offlist?
I think it might be nice to focus more on the non-traditional
classes of bugs. Since the standard buffer overflows, whilst
not exhausted, seem to be occurring less often.
Things like your own temporary file auditing (more news on
that soon), Ulfs work on syslog issues, etc.
I liked the offer of auditing by us for package maintainers
and liked the idea of listing things to be wary of. I'd suggest
including "Adding system cron jobs" to the list, that is really
a subset of software running as root, but perhaps less commonly
considered?
Steve
--
|
| 
