[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Wed, 20 Feb 2008 12:28:44 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS
* [2008-02-19 08:35:44 +0100] Sebastian Krahmer wrote:
>On Mon, Feb 18, 2008 at 09:00:24AM -0700, Vincent Danen wrote:
>
>I am not sure if a cvs or something like a -AUDITED
>branch would be the right way, since it might not be obvious
>which older versions were reviewed too if new versions are commited.
>Maybe a wiki with patch subdir and link to the reviewed
>CVS version/branch will suffice. Need to play around :)
>On the other hand if such a project grows you can have a complete distro
>you can check out and you always see which parts of a distro or larger project
>are reviewed such as apache w/o certain modules. problem is that
>such partial reviews may stop to compile upon checkout.
Hmmm... I'm not sure I'm completely following you here.
I like the patch idea, however. A "vendor patch" database of sorts
would be nice (would save me from hunting from, say, ubuntu packages for
a patch for something they already fixed, or looking at ubuntu for one,
and SUSE for another because of version differences).
That doesn't really concentrate on *auditing* however, but I could see
how the two could work well together under one common implementation.
--
Vincent Danen @ http://linsec.ca/
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux