Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Feb 2008 09:00:24 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS

* [2008-02-18 10:28:36 +0100] Sebastian Krahmer wrote:

>>>From my view it would be helpful to have some forum/CVS or whatever
>where code reviewers can submit the code they already audited along
>with remarks/exploits/patches etc.
>So everyone can match this against the version of the OSS project.
>In an ideal case their latest released version equals the
>version in the review CVS. It saves also the time to review
>files again which didnt change during versions.

This is an intriguing idea, but I wonder if a version control system is
actually required, or if we could use the wiki itself for something like
this.

A code checkin of audited source might be nice for "pristine" code
purposes, but then we almost duplicate an author's scm system.

Would not a simple list of software be sufficient?  For instance,
something that listed:

- software name
- audited version
- audit date
- who did the audit
- results of the audit (links to patches, whatever)

Most authors keep old packages kicking around, so I don't think we need
an scm for this.  I mean, if you review foo-1.1 and it's ok, and someone
indicates a vuln in foo-1.3, then one could easily download both foo-1.1
and foo-1.3 and just do a diff to see what's changed, right?

Or do I miss something where a scm would be really valuable?

-- 
Vincent Danen @ http://linsec.ca/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.