realpath(3) et al

Nickolay A. Kritsky nkritsky at internethelp.ru
Tue Aug 12 05:59:43 PDT 2003


Hello Jacques,

Tuesday, August 12, 2003, 3:21:32 AM, you wrote:

>> My question is...  If enabling a 3rd-party audit for some target release
>> (5.3+ I'd assume) is desirable, what would be needed money-, time- and
>> other-wise?  

JAV> People need to read code, that's all.  You can share your code reading
JAV> insights at freebsd-audit at freebsd.org, or if you believe it is
JAV> sensitive, with security-team at freebsd.org.

JAV> We _do_ already audit code, you know.  FreeBSD-SA-03:09.signal was a
JAV> result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's
JAV> auditing.  Also, many commits that are just `cleanup' are the result
JAV> of a kind of `auditing'.

JAV> What we perhaps lack is coordination.  This is not easy in a volunteer
JAV> environment, but perhaps something as simple as a `scoreboard' with
JAV> `these files being audited/have been audited by whatsmyname' would be
JAV> an improvement.  On the other hand, in my experience, people are quick
JAV> to volunteer and slow to follow up --- usually disappearing. :-(  Of
JAV> course, those that do follow up often become committers themselves :-)

Some time ago I have seen problem reports database on FreeBSD's
website. Why don't use it for audit tracking? You can add 'audit'
class, or maybe some 'audit-*' categories? Did you thought about this?

;-------------------------------------------
; NKritsky
; mailto:nkritsky at internethelp.ru




More information about the freebsd-security mailing list