On Mon, Jun 13, 2005 at 11:44:24PM +0200, Ulf Harnhammar wrote:
> Do you think we should set any specific goals for the
> Debian Security Audit Project to achieve before Etch is
> released? Our work so far has shown that we don't need
> goals, but perhaps we can achieve even more if we set
> some goals (at least #X DSA's published before Etch,
> comprehensive audits of syslog() bugs or PHP include()
> bugs in lots of packages, other goals?).
Mmm... Setting a goal of a specific number of DSAs in etch might be too
much. But how about:
- we would like to do a security review of all the base packages before
etch (at least two people should look into them)
Rationale: base packages are installed in all Debian systems so we want to
make sure those are OK before release.
or
- we would like to do a security review of a significant percentage of
extra/optional packages before etch
Rationale: there are lots of packages in the optional/extra area which are
underused, undermaintained and bug-ridden (yes, including security bugs).
I've caught up some while doing an automatic /tmp review but we are sure to
find lots of those. We could have DSAs issues for those in sarge and force
those in etch to be pulled off from the distribution (and maybe spank their
maintainers too...)
or
- we would like to provide a useful and complete document for all DDs (that
might be included in the NM process) that describes how to do a security
audit of their source packages and find the "low hanging fruit" with a mix
of automatic tools and some sensible questions.
Rationale: we are a small task force, if we can enroll all the others DD to
search for security bugs we might have a better distribution overall.
How does any of these sound like?
Regards
Javier