Date: Wed, 20 Feb 2008 12:28:44 -0700 From: Vincent Danen <vdanen@...sec.ca> To: oss-security@...ts.openwall.com Subject: Re: code review CVS * [2008-02-19 08:35:44 +0100] Sebastian Krahmer wrote: >On Mon, Feb 18, 2008 at 09:00:24AM -0700, Vincent Danen wrote: > >I am not sure if a cvs or something like a -AUDITED >branch would be the right way, since it might not be obvious >which older versions were reviewed too if new versions are commited. >Maybe a wiki with patch subdir and link to the reviewed >CVS version/branch will suffice. Need to play around :) >On the other hand if such a project grows you can have a complete distro >you can check out and you always see which parts of a distro or larger project >are reviewed such as apache w/o certain modules. problem is that >such partial reviews may stop to compile upon checkout. Hmmm... I'm not sure I'm completely following you here. I like the patch idea, however. A "vendor patch" database of sorts would be nice (would save me from hunting from, say, ubuntu packages for a patch for something they already fixed, or looking at ubuntu for one, and SUSE for another because of version differences). That doesn't really concentrate on *auditing* however, but I could see how the two could work well together under one common implementation. -- Vincent Danen @ http://linsec.ca/ Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.