Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150112004126.GA4934@openwall.com>
Date: Mon, 12 Jan 2015 03:41:26 +0300
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: new code reviews

Galaxy,

What reviews have you made of the new/updated upstream code introduced
with your mid-2014 commits?

In CONCEPTS, we claim:

"The primary approach used is proactive source code review for several
classes of software vulnerabilities.  However, because of the large
amount of code, there's a certain level of "importance" for a software
component or a part thereof to be audited.  Currently, only pieces of
code which are typically run with privileges greater than those of a
regular user and/or typically process data obtained over a network are
audited before the corresponding software component is included.  This
covers relevant code paths in many of the system libraries, all SUID/
SGID programs, all daemons and network services.  Other software may
be audited when it is already a part of Owl.  Potential problems found
during the audit are fixed or, in some pathological cases, may prevent
the software component from being included.  In general, code quality
and privilege management are always considered when there's a choice
between implementations of a feature.  As the project evolves, many of
the software components will be replaced with ones of our own."

Arguably, the code you added/updated isn't "important" enough to require
proactive review per these terms.

I am especially concerned about nss and nspr.  Why does the new rpm need
them?  What other Owl-relevant software needs them (so that we'd want to
keep them available for use by other than rpm)?

Speaking of rpm's signature checking, if it requires this sort of crap
now I'd say that maybe we better drop/exclude its signature checking
support (which we don't use ourselves anyway, using mtree instead).
Being able to check signatures of other distros' packages on Owl before
possibly installing them on an Owl system is nice... but maybe not nice
enough for us to bite that bullet.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.