oss-sec mailing list archives
Re: code review CVS
From: Sebastian Krahmer <krahmer () suse de>
Date: Tue, 19 Feb 2008 08:35:44 +0100
On Mon, Feb 18, 2008 at 09:00:24AM -0700, Vincent Danen wrote: I am not sure if a cvs or something like a -AUDITED branch would be the right way, since it might not be obvious which older versions were reviewed too if new versions are commited. Maybe a wiki with patch subdir and link to the reviewed CVS version/branch will suffice. Need to play around :) On the other hand if such a project grows you can have a complete distro you can check out and you always see which parts of a distro or larger project are reviewed such as apache w/o certain modules. problem is that such partial reviews may stop to compile upon checkout. Sebastian
* [2008-02-18 10:28:36 +0100] Sebastian Krahmer wrote:From my view it would be helpful to have some forum/CVS or whateverwhere code reviewers can submit the code they already audited along with remarks/exploits/patches etc. So everyone can match this against the version of the OSS project. In an ideal case their latest released version equals the version in the review CVS. It saves also the time to review files again which didnt change during versions.This is an intriguing idea, but I wonder if a version control system is actually required, or if we could use the wiki itself for something like this. A code checkin of audited source might be nice for "pristine" code purposes, but then we almost duplicate an author's scm system. Would not a simple list of software be sufficient? For instance, something that listed: - software name - audited version - audit date - who did the audit - results of the audit (links to patches, whatever) Most authors keep old packages kicking around, so I don't think we need an scm for this. I mean, if you review foo-1.1 and it's ok, and someone indicates a vuln in foo-1.3, then one could easily download both foo-1.1 and foo-1.3 and just do a diff to see what's changed, right? Or do I miss something where a scm would be really valuable? -- Vincent Danen @ http://linsec.ca/
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Current thread:
- code review CVS Sebastian Krahmer (Feb 18)
- Re: code review CVS Vincent Danen (Feb 18)
- Re: code review CVS Sebastian Krahmer (Feb 18)
- Re: code review CVS Vincent Danen (Feb 20)
- Re: code review CVS Kees Cook (Feb 20)
- Re: code review CVS Vincent Danen (Feb 20)
- Re: code review CVS Pierre-Yves Rofes (Feb 21)
- Re: code review CVS Mark J Cox (Feb 21)
- Re: code review CVS Kees Cook (Feb 21)
- Re: code review CVS Tomas Hoger (Feb 22)
- Re: code review CVS Kees Cook (Feb 22)
- Re: code review CVS Sebastian Krahmer (Feb 18)
- Re: code review CVS Vincent Danen (Feb 21)
- Re: extracting patches from SRPMs (Was: code review CVS) (GalaxyMaster) (Feb 21)
- Re: code review CVS Vincent Danen (Feb 18)