Date: Mon, 18 Feb 2008 09:00:24 -0700 From: Vincent Danen <vdanen@...sec.ca> To: oss-security@...ts.openwall.com Subject: Re: code review CVS * [2008-02-18 10:28:36 +0100] Sebastian Krahmer wrote: >>>From my view it would be helpful to have some forum/CVS or whatever >where code reviewers can submit the code they already audited along >with remarks/exploits/patches etc. >So everyone can match this against the version of the OSS project. >In an ideal case their latest released version equals the >version in the review CVS. It saves also the time to review >files again which didnt change during versions. This is an intriguing idea, but I wonder if a version control system is actually required, or if we could use the wiki itself for something like this. A code checkin of audited source might be nice for "pristine" code purposes, but then we almost duplicate an author's scm system. Would not a simple list of software be sufficient? For instance, something that listed: - software name - audited version - audit date - who did the audit - results of the audit (links to patches, whatever) Most authors keep old packages kicking around, so I don't think we need an scm for this. I mean, if you review foo-1.1 and it's ok, and someone indicates a vuln in foo-1.3, then one could easily download both foo-1.1 and foo-1.3 and just do a diff to see what's changed, right? Or do I miss something where a scm would be really valuable? -- Vincent Danen @ http://linsec.ca/ Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ