Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 12 Jan 2015 03:41:26 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: new code reviews

Galaxy,

What reviews have you made of the new/updated upstream code introduced
with your mid-2014 commits?

In CONCEPTS, we claim:

"The primary approach used is proactive source code review for several
classes of software vulnerabilities.  However, because of the large
amount of code, there's a certain level of "importance" for a software
component or a part thereof to be audited.  Currently, only pieces of
code which are typically run with privileges greater than those of a
regular user and/or typically process data obtained over a network are
audited before the corresponding software component is included.  This
covers relevant code paths in many of the system libraries, all SUID/
SGID programs, all daemons and network services.  Other software may
be audited when it is already a part of Owl.  Potential problems found
during the audit are fixed or, in some pathological cases, may prevent
the software component from being included.  In general, code quality
and privilege management are always considered when there's a choice
between implementations of a feature.  As the project evolves, many of
the software components will be replaced with ones of our own."

Arguably, the code you added/updated isn't "important" enough to require
proactive review per these terms.

I am especially concerned about nss and nspr.  Why does the new rpm need
them?  What other Owl-relevant software needs them (so that we'd want to
keep them available for use by other than rpm)?

Speaking of rpm's signature checking, if it requires this sort of crap
now I'd say that maybe we better drop/exclude its signature checking
support (which we don't use ourselves anyway, using mtree instead).
Being able to check signatures of other distros' packages on Owl before
possibly installing them on an Owl system is nice... but maybe not nice
enough for us to bite that bullet.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ