Hello, before anything else, I did read all material about the OpenBSD security policies on the website. Now I am trying to get some more insider insight on it. Writing a paper about open source software security and not including OpenBSD case is kinda idiot so I am running against time to find more info.
I made a simple list of 5 questions to be answered by an active developer of the project, the questions are below. If you feel you have a little time to help me on that, please reply to my private email to prevent unecessary trafic. I used the same questions on all projects I researched so they are not specific questions. I also apologise for any inconvenient this message can cause. ===================================== Hello, I am called Jose de Paula E. Junior but most of my coworkers call me coredump :) I am a linux/bsd administrator using open source software since 1997 and studying about various security related subjects. I am now writing a paper titled on 'Software Security on Open Source and Free Software projects'. It is my final paper on college and I need to make some research about how different projects deal with software security. If I can ask for a minute of your help, I am including some questions about how the OpenBSD/OpenSSH project deals with some factors. I read the documentation on the site already and would like to get some more info about the process. Thanks in advance for any help ============== 1) How the OpenBSD and OpenSSH projects deal with security during the actual development and from community patches? Is there any automatic auditing of source code, security specific testing or auditing of external/community sent patches? 2) The OpenBSD and OpenSSH code is always available or they have periodic releases? Does those releases, if they exist, have any security specific treatment or auditing? 3) Does the OpenBSD and OpenSSH projects have security specific teams or mail lists for treating security issues during development and release or after release to receive and deal with vulnerabilities or security concerns? 4) How the OpenBSD and OpenSSH projects deal with security problems and vulnerabilities found on the wild? Are the OpenBSD and OpenSSH discovered vulnerabilities full disclosed or are they worked under a blanket until fixed? Security fixes are rapidly developed and integrated on the current released version or only for a next release? 5) Any other consideration you would like to add about secure software development on projects with many distributed contributors/developers? -- JosC) de Paula EufrC!sio JC:nior aka coredump http://core.eti.br
