Re: Maintaining packages properly

2009-03-19 Thread Steve Kemp
On Wed Mar 18, 2009 at 21:01:04 -0400, Micah Anderson wrote:

> However, I do see your point about NEW packages, and it might be
> interesting, if we could get enough security auditors who had the skills
> and the time, to be a part of the NEW process. This could introduce an
> unnecessary delay in the processing of packages, depending on the depth
> and bredth of such an audit. Or even or a false sense of security if
> people think that their packages are free of security holes if they've
> passed NEW.

  The security audit project mostly seems to have stalled/died.  There
 was a time when there were people actively taking part and doing
 semi-directed audits of the archive.

  These days it is very very rare that anybody does so, which is
 unfortunate (speaking both as the person who started it, and as somebody
 who would love to have such an effort be more visible and active.)

  I've been on the point of updating the webpages several times to
 say "this activity is dead, and these are merely historic notes" but
 haven't quite wanted to admit defeat.

> > Maybe more people could join the debian security audit team? For a lot
> > of PHP packages it would be enough to check whether certain functions
> > (e.g.  htmlspecialchars) are found. If not, this is often an
> > indication of insufficient protection measures.
>
> Calling all interested security people who have just been dying to
> show their skills, or develop stronger auditing skills!

  I think if there is no such response then it is definitely time to
 call it a day and cease pretending we have auditors on hand.

Steve
--
Managed Anti-Spam Service
http://mail-scanning.com/


-- 
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org



Re: Maintaining packages properly

2009-03-18 Thread Micah Anderson
* Steffen Joeris  [2009-03-18 18:48-0400]:
> On Thu, 19 Mar 2009 09:19:28 am Micah Anderson wrote:

[snip: removed some unrelated stuff to move discussion to
debian-security, please reply there]

> > On a somewhat tangential note, I've been asked a number of times by
> > people why Debian doesn't have security review/auditing of core
> > important packages. These questions have come more frequently after the
> > openssl issue happened (which for some reason people tend to call a
> > 'debacle', why that word was chosen and repeated would be an interesting
> > research project).
> >
> > In OpenBSD they have taken their security audit team (between 6-12
> > members) and set them on looking for security holes through a process of
> > file-by-file analysis of their critical software components. They
> > determined which elements of the core system are the most critical and
> > have spent a lot of time on reviewing these pieces. This is a process
> > whereby code gets audited and re-audited by different people with
> > different skills over time. Debian has an audit team, but its more of a
> > side-project than a commitment by the project.
> >
> > The OpenBSD security auditing process has succeeded because it was
> > proactive in this approach. I think that the auditing process is not
> > trivial, but it does seem like it would be a good thing for Debian to
> > tighten up in this area. I dont know what packages this would mean, or
> > what this process would entail, but I know we have a team of folks who
> > are commited to auditing in Debian and we just need to bring them closer
> > to the core in some way, without making those core maintainers feel like
> > their work is under suspicion.
>
> Not really sure about that one. 
> However, what tends to happen a lot is that fairly new packages are full of 
> security issues. Quite often it is the case that one flaw is detected by 
> chance and then a further audit reveals all sorts of funny things (this just 
> so happens to be the case with a lot of PHP/web stuff). It is impossible to 
> detect all these packages before the release and it should also be a last 
> resort to remove such packages from a stable release.

The point I was making was about a small subset of "core" packages, not
the entire archive. I think the entire archive would only ever be done
through an automated scanner. Perhaps the subset would be 'essential'
plus one or two others that introduce vectors into a system, but which
are necessary to access a system and are not 'essential', such as
openssh-server. If the set was small enough then in-depth analysis could
be done, and on a regular basis. Focusing the efforts of some skilled
security auditors on some core Linux programs (even openssh) would
benefit more than just Debian as well.

However, I do see your point about NEW packages, and it might be
interesting, if we could get enough security auditors who had the skills
and the time, to be a part of the NEW process. This could introduce an
unnecessary delay in the processing of packages, depending on the depth
and bredth of such an audit. Or even or a false sense of security if
people think that their packages are free of security holes if they've
passed NEW. 

> Maybe more people could join the debian security audit team? For a lot
> of PHP packages it would be enough to check whether certain functions
> (e.g.  htmlspecialchars) are found. If not, this is often an
> indication of insufficient protection measures.

Calling all interested security people who have just been dying to
show their skills, or develop stronger auditing skills!

micah



signature.asc
Description: Digital signature