On Tue, 23 Nov 1999, Gerald Abshez wrote:
> Kris Kennaway wrote:
> >
> > Let me throw in some ideas..
> >
> > I think it would be very useful to have a database which can track
> > submitted open/netbsd CVS commits (with the code diff included),
> > preferably mapped to the relevant file in the freebsd tree if possible
> > according to a path mapping table (i.e. /some/openbsd/path/file.c mapped
> > to /equiv/freebsd.path/file.c).
>
> Here is my 0.02:
>
> I think it would be useful to identify "unsafe" functions, so that
> anyone can participate in the "eyeball" portion of the game. This means
> that we need eyeballed, identified as a (potential) problem and fixed,
> as well as some other possiblities. There is a lot of code out there,
> and it would help if we could involve the non-programmers in the search.
>
> Comments?
>
I was thinking about this on the drive home...
* We need to break the auditing process into managable work units.
* We need to note when a commit affects code that was believed to have
previously been secure (so that it may be audited again).
* We should indicate what parts of the code have been audited without
discouraging others from double-checking if they like.
* We would like to be able to identify and integrate security fixes
already made by OpenBSD or NetBSD easily.
* We would like to flag programs as suspect/insecure when they are the
subject of bugtraq reports.
Are there additional goals anyone else has in mind? I've got some
thoughts on implementing these, but my wife is telling me it is time to
go :) I'll share when I get back from the movies :)
Kelly
--
Kelly Yancey - [EMAIL PROTECTED] - Richmond, VA
Director of Technical Services, ALC Communications http://www.alcnet.com/
Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/
Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
