On Sat, Aug 02, 2003 at 08:58:00PM -0500, Manoj Srivastava wrote: > > Given the last review of a setgid program, I wonder if two > people are enough. The mistake was simple, human, and undesrtandable, > but the review does not in fact talk about any flaws in the current > version of angband (tome does need to be so changed); and this kind > of error would undermine the process -- especially if the results are > couched in terms like those below:
I think it's accepted that no matter how many people look at a piece of code that there may be things missed. There are programs I've examined in the past which I believed were OK only to later see that they contained flaws. It's easy to imagine things would still be overlooked with more people looking at the code, so a "false positive" review would occur. However what's the worst that could happen? If there were a team and they messed up we'd have a vulnerable program in the archive which is exactly what we have now. If something were spotted then it could be fixed and we'd have reached a better degree of security than that which we currently enjoy. Given the time it would take for a few people to look over a program I think it's a reasonable suggestion, and worth doing even if it doesnt catch *everything*. Steve ---
pgp5MhTeqFMFt.pgp
Description: PGP signature