On Sat, Aug 02, 2003 at 08:14:15PM -0500, Manoj Srivastava wrote: > Heh. You should look at what is in the current version:
Is that what you would say to the users who have angband installed on Woody? I do not think this is something to laugh about. > Superficial audits are probably worse rthan none; they tend to > raise false senses of security. Only if their results are interpreted incorrectly. A superficial audit is enough to say "this program cannot be trusted to be setid until it has received a more thorough audit". If no one is willing or able to perform such an audit, the program should not be distributed setid. This is the kind of result that I hope would be achieved by recommending discussion before new setid programs are added to the distribution. If we had the resources to thoroughly audit all such programs before distributing them, that would be better, but as yet we do not. However, having an established channel for this kind of review makes it easier for interested parties to perform some amount of auditing. Of course, even thorough auditing cannot provide security guarantees, it can only find new bugs. -- - mdz
