Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Feb 2008 09:00:24 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS

* [2008-02-18 10:28:36 +0100] Sebastian Krahmer wrote:

>>>From my view it would be helpful to have some forum/CVS or whatever
>where code reviewers can submit the code they already audited along
>with remarks/exploits/patches etc.
>So everyone can match this against the version of the OSS project.
>In an ideal case their latest released version equals the
>version in the review CVS. It saves also the time to review
>files again which didnt change during versions.

This is an intriguing idea, but I wonder if a version control system is
actually required, or if we could use the wiki itself for something like
this.

A code checkin of audited source might be nice for "pristine" code
purposes, but then we almost duplicate an author's scm system.

Would not a simple list of software be sufficient?  For instance,
something that listed:

- software name
- audited version
- audit date
- who did the audit
- results of the audit (links to patches, whatever)

Most authors keep old packages kicking around, so I don't think we need
an scm for this.  I mean, if you review foo-1.1 and it's ok, and someone
indicates a vuln in foo-1.3, then one could easily download both foo-1.1
and foo-1.3 and just do a diff to see what's changed, right?

Or do I miss something where a scm would be really valuable?

-- 
Vincent Danen @ http://linsec.ca/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ