Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 20 Feb 2008 12:28:44 -0700
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS

* [2008-02-19 08:35:44 +0100] Sebastian Krahmer wrote:

>On Mon, Feb 18, 2008 at 09:00:24AM -0700, Vincent Danen wrote:
>
>I am not sure if a cvs or something like a -AUDITED
>branch would be the right way, since it might not be obvious
>which older versions were reviewed too if new versions are commited.
>Maybe a wiki with patch subdir and link to the reviewed
>CVS version/branch will suffice. Need to play around :)
>On the other hand if such a project grows you can have a complete distro
>you can check out and you always see which parts of a distro or larger project
>are reviewed such as apache w/o certain modules. problem is that
>such partial reviews may stop to compile upon checkout.

Hmmm... I'm not sure I'm completely following you here.

I like the patch idea, however.  A "vendor patch" database of sorts
would be nice (would save me from hunting from, say, ubuntu packages for
a patch for something they already fixed, or looking at ubuntu for one,
and SUSE for another because of version differences).

That doesn't really concentrate on *auditing* however, but I could see
how the two could work well together under one common implementation.

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ