realpath(3) et al
Nickolay A. Kritsky
nkritsky at internethelp.ru
Tue Aug 12 05:59:43 PDT 2003
Hello Jacques,
Tuesday, August 12, 2003, 3:21:32 AM, you wrote:
>> My question is... If enabling a 3rd-party audit for some target release
>> (5.3+ I'd assume) is desirable, what would be needed money-, time- and
>> other-wise?
JAV> People need to read code, that's all. You can share your code reading
JAV> insights at freebsd-audit at freebsd.org, or if you believe it is
JAV> sensitive, with security-team at freebsd.org.
JAV> We _do_ already audit code, you know. FreeBSD-SA-03:09.signal was a
JAV> result of my auditing, FreeBSD-SA-03:10.ibcs2 was a result of David's
JAV> auditing. Also, many commits that are just `cleanup' are the result
JAV> of a kind of `auditing'.
JAV> What we perhaps lack is coordination. This is not easy in a volunteer
JAV> environment, but perhaps something as simple as a `scoreboard' with
JAV> `these files being audited/have been audited by whatsmyname' would be
JAV> an improvement. On the other hand, in my experience, people are quick
JAV> to volunteer and slow to follow up --- usually disappearing. :-( Of
JAV> course, those that do follow up often become committers themselves :-)
Some time ago I have seen problem reports database on FreeBSD's
website. Why don't use it for audit tracking? You can add 'audit'
class, or maybe some 'audit-*' categories? Did you thought about this?
;-------------------------------------------
; NKritsky
; mailto:nkritsky at internethelp.ru
More information about the freebsd-security
mailing list