I asked a while back to make some things policy, one of those was describing
how systems users should be created and ask packages to use those instead of
providing daemons with full root privileges (see #291177). Well, this was
some time ago, and I'm surprised to see stuff like this: #334616 (a sound
daemon running with *full* *root* privileges).
I've decided to write a section for the Developer's Reference called "Best
practices for security review and design". I think the Audit team (and
security team) would have less of a job if the maintainers where
knowledgeable enough to fix security bugs in packages before they are
uploaded and to detect software which is so bug-ridden with security issues
that it should never enter the archive.
The diff is attached (I'm going to commit it right away, I hope the
Developer's Reference maintainers don't mind) and I'm looking for help to
proofread it and extend it. If we could write a good section I think we
should go ahead and mail debian-devel-announce so that people are forewarned
and don't get bitten by us in the future so much. It would also be useful to
point maintainers to when they don't understand a bug sent by the audit team.
Believe me, the count of stupid security bugs (such as temp symlinks issues)
is astoundingly high in all the archive (in the order of a thousand). I'll
take me a lifetime to report all I have found with a proper patch and follow
it up to a DSA. I think the best course of action is to educate maintainers.
This is the first step towards that goal.
Regards
Javier