Date: Tue, 12 Aug 2003 10:24:16 +0200 From: "Devon H. O'Dell" <dodell@sitetronics.com> To: <security@freebsd.org> Subject: RE: realpath(3) et al Message-ID: <002301c360ab$1ec6b940$9f8d2ed5@internal> In-Reply-To: <200308111831.39910.fbsd@w88trigger.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I was reading an article on Slashdot recently about Linux just getting = some sort of security certification and asked the question "What about = FreeBSD?" I got the standard BSD trolls, but my comment was actually modded up to = a 3, Interesting, I believe. What sorts of security standards commissions are there, how much does getting "standards certified" cost, and where should we start?=20 I'm all for getting a website up to give out information on what we're trying to do and possibly collect donations, take comments, and set up discussions. I do have the time, resources, space and FreeBSD box ;) to = set this up. I'd like to get started with this ASAP; any other ideas? Kind regards, Devon H. O'Dell Systems and Network Engineer Simpli, Inc. Web Hosting http://www.simpli.biz > -----Oorspronkelijk bericht----- > Van: owner-freebsd-security@freebsd.org [mailto:owner-freebsd- > security@freebsd.org] Namens fbsd@w88trigger.com > Verzonden: Tuesday, August 12, 2003 3:32 AM > Aan: security@freebsd.org > Onderwerp: Re: realpath(3) et al >=20 > Organizing a review of the FreeBSD code base will be a tedious, > yet highly valuable endeavor. I have little spare time or > money, but I would be willing to contribute what I can for such > a worthy cause. I suspect that there are many others who feel > this way, and therefore it may be feasible for the 3rd party > conducting the review to be made up almost entirely of > volunteers. I guess the big issue is how to get the process > started. >=20 > Need person(s) to organize reviews: > It seems like a first step should be to find someone who can > organize audits/reviews of the code base, and organize groups of > reviewers. Bodies of code could then be assigned to individual > volunteers or groups for review within some time frame. Results > would be collected and organized and code fixes made and > applied. No matter how the project is managed, I think the > first action must be to identify some volunteers to run the code > review project. >=20 > Just an Idea: > Perhaps such reviews could take the form of bug-hunting contests, > where those who discover software defects or vulnerabilities are > awarded some form of recognition (i.e., named on FreeBSD > website), and/or some prize or trophy. This could actually be a > really fun activity if presented in the right way. Conducting > reviews in this manner may help attract more interest and reduce > or eliminate any need to hire a professional organization to > perform reviews. Of course there would have to be some rules > like, people cannot review code they had any part in authoring. >=20 > Any way to get organized reviews done will be a great benefit to > the FreeBSD code base. I just want to see it happen and to help > where I can. >=20 > --ajg >=20 >=20 > On Monday 11 August 2003 14:08, Mike Hoskins wrote: > > First, I hope that this message is not considered flame bait. > > As someone who has used FreeBSD for for 5+ years now, I have a > > genuine interest in the integrity of our source code. > > > > Second, I hope that this message is not taken as any form of > > insult or finger pointing. Software without bugs does not > > exist, and I think we all know that. Acknowledging that point > > and working to mitigate the risks associated with it would > > seem to be our only real option. > > > > That said, every time something like the recent realpath(3) > > issue comes to light, I find myself asking why I haven't at > > least tried to do more to review our source code or (more > > desirable) enable 3rd-party audits. > > > > My question is... If enabling a 3rd-party audit for some > > target release (5.3+ I'd assume) is desirable, what would be > > needed money-, time- and other-wise? I'm willing to invest > > both time and money to make this happen. I'd expect such an > > endeavor to be tedious and expensive... and, of course, it > > would really need to be repeated occasionally to be of real > > value. (Probably, at least, after major version number > > changes.) However, perhaps doing an audit of the base system > > now would help our image in the security community? > > > > All I know is, despite occasional arguments and rants, I like > > FreeBSD. As long as it exists, I plan to have it installed... > > So it is in my best interest to help in any way I can. I know > > projects like secure/trustedBSD exist, but I am really looking > > for ways to promote the trust of the base system more than > > specialized projects/branches. > > > > Thoughts? > > > > -mrh > > > > -- > > From: "Spam Catcher" <spam-catcher@adept.org> > > To: spam-catcher@adept.org > > Do NOT send email to the address listed above or > > you will be added to a blacklist! > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security- > unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002301c360ab$1ec6b940$9f8d2ed5>