headers
Mansour Moufid | 4 Jun 2009 05:44
Picon

the Gentoo Audit project and dev-util/splint

Hello list,

I was wondering if I could get peoples' opinions of dev-util/splint
(the Secure Programming Lint) [1], and specifically in the context of
development on Gentoo -- if you've used this tool before and if you
did or didn't find it useful?

I noticed it wasn't listed as a source code audit aid on the Gentoo
Audit project page [2]. Is there a specific reason for this or was
simply an oversight? I wouldn't mind contributing a brief paragraph or
so on the subject.

( I apologize if this is off topic for gentoo-security, I noticed this
list is rather low-traffic... )

[1] http://packages.gentoo.org/package/dev-util/splint?full_cat
[2] http://www.gentoo.org/proj/en/security/audit.xml

--

-- 
Mansour Moufid
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x95BBC25F
Permalink | Reply |
headers
Robert Buchholz | 4 Jun 2009 12:58
Picon
Favicon

Re: the Gentoo Audit project and dev-util/splint

On Thursday 04 June 2009, Mansour Moufid wrote:
> Hello list,
>
> I was wondering if I could get peoples' opinions of dev-util/splint
> (the Secure Programming Lint) [1], and specifically in the context of
> development on Gentoo -- if you've used this tool before and if you
> did or didn't find it useful?
>
> I noticed it wasn't listed as a source code audit aid on the Gentoo
> Audit project page [2]. Is there a specific reason for this or was
> simply an oversight? I wouldn't mind contributing a brief paragraph
> or so on the subject.

Hi Mansour,

I will add the item to the list -- the other tools do not have any 
description either.
However note that the Auditing project is currently in a sleeping state. 
No one is auditing code in the tree for new vulnerabilities (at least 
not as part of the project). If you have an interest in this subject 
and would like to participate in reviving the project, that would be 
great. It can be a way to become a Gentoo developer and participate in 
a great community, and to cooperate with others in the Security project 
and other vendors. But keep in mind there is a certain amount of work 
that comes with this.

Robert
Permalink | Reply |
headers
Mansour Moufid | 10 Jun 2009 22:35
Picon

Re: the Gentoo Audit project and dev-util/splint


On Thu, Jun 4, 2009 at 6:58 AM, Robert Buchholz<rbu <at> gentoo.org> wrote:
> However note that the Auditing project is currently in a sleeping state.
> No one is auditing code in the tree for new vulnerabilities (at least
> not as part of the project).

That's a shame. I get the impression Gentoo is geared toward the
security crowd, or rather, more so than other distributions I've come
across.

> If you have an interest in this subject
> and would like to participate in reviving the project, that would be
> great. It can be a way to become a Gentoo developer and participate in
> a great community, and to cooperate with others in the Security project
> and other vendors.

Yes, exactly. This is the type of project I've been looking to get
involved in anyway, so it made sense to try to do so within the
framework of Gentoo. : )

> But keep in mind there is a certain amount of work that comes with this.

How much time would members typically put in, say, per week? I imagine
it's difficult to estimate an 'average' -- since most of the time
spent is probably in actually reviewing source code -- but I'm looking
forward to contributing a decent number of hours a week as part of
this project. Effort is certainly no deterrent.

--
Mansour Moufid
(Continue reading)

Permalink | Reply |
headers
Robert Buchholz | 11 Jun 2009 16:13
Picon
Favicon

Re: the Gentoo Audit project and dev-util/splint

Hello Mansour,

On Wednesday 10 June 2009, Mansour Moufid wrote:
> > But keep in mind there is a certain amount of work that comes with
> > this.
>
> How much time would members typically put in, say, per week? I
> imagine it's difficult to estimate an 'average' -- since most of the
> time spent is probably in actually reviewing source code -- but I'm
> looking forward to contributing a decent number of hours a week as
> part of this project. Effort is certainly no deterrent.

As with most oss projects, you put in the amount of time you are 
comfortable with. There's usually more items on the TODO stack than you 
can handle anyway, so you either let it rest for a few days/weeks when 
you are busy, or work off large chunks when you have some time to burn.

To get you started, I would suggest you look for tasks that sound 
interesting. There are several bugs that need attention. Some of them 
are in the "Gentoo Security/Audit" section of Bugzilla. Mondo-rescue's 
latest version needs to be looked at, for example: 
https://bugs.gentoo.org/show_bug.cgi?id=106497

There is a list of packages bundling libraries. Some of these might have 
security impact: 
https://bugs.gentoo.org/showdependencytree.cgi?id=251464

There's also some of the "Gentoo Security/Vulnerabilities" bugs that 
need attention. If you're seeking to discover new vulnerabilities 
instead of working on details of existing bugs, can literally start
(Continue reading)

Permalink | Reply |

Gmane