[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Mon, 18 Feb 2008 09:00:24 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS
* [2008-02-18 10:28:36 +0100] Sebastian Krahmer wrote:
>>>From my view it would be helpful to have some forum/CVS or whatever
>where code reviewers can submit the code they already audited along
>with remarks/exploits/patches etc.
>So everyone can match this against the version of the OSS project.
>In an ideal case their latest released version equals the
>version in the review CVS. It saves also the time to review
>files again which didnt change during versions.
This is an intriguing idea, but I wonder if a version control system is
actually required, or if we could use the wiki itself for something like
this.
A code checkin of audited source might be nice for "pristine" code
purposes, but then we almost duplicate an author's scm system.
Would not a simple list of software be sufficient? For instance,
something that listed:
- software name
- audited version
- audit date
- who did the audit
- results of the audit (links to patches, whatever)
Most authors keep old packages kicking around, so I don't think we need
an scm for this. I mean, if you review foo-1.1 and it's ok, and someone
indicates a vuln in foo-1.3, then one could easily download both foo-1.1
and foo-1.3 and just do a diff to see what's changed, right?
Or do I miss something where a scm would be really valuable?
--
Vincent Danen @ http://linsec.ca/
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ