On Tue, Oct 23, 2001 at 09:55:04AM +0200, Christian Kurz wrote: > Do you know how difficult and time-consuming it really is to do a manual > source code audit? Also the available programs for source code audits > can only give you hints which parts of a program might be suspicious, but > you still would have to verify everything by hand to be really sure.
FreeBSD does it for their ports tree. In fact, this has been a matter of controversy, as the FreeBSD team issues a huge number of security advisories for software that really has nothing to do with FreeBSD. This has caused casual observers to erroneously believe FreeBSD is less secure than other less carefully managed operating system projects. Yes, source-code audits are time-consuming. Time-consuming is different from "not possible", however. The alternative is the "ostrich" method of security management. -Michael Robinson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]