[Exim-dev] Security & Development issues

Pàgina inicial
Delete this message
Reply to this message
Autor: Nigel Metheringham
Data:  
A: exim-dev
Assumpte: [Exim-dev] Security & Development issues
[These are thoughts around this sort of issue, as a discussion starter.
If discussion moves off this topic can people please change to a new
thread]

      * Exim is a large (normally) setuid daemon with lots of
        privileges.
      * No matter how good we are, exim *will* have security issues.
      * We need to have processes to:-
              * Inspect committed code for security issues
              * Ensure released code is not compromised
              * Accept security reports in a timely fashion
              * Engineer security fixes without (if possible) giving
                those who might attack vulnerable installations an
                advance attack period.


Does anyone have any information on means to ensure a CVS repository is
not suffering unexpected changes other than producing an overall diff
frequently against a known source and then eyeballing that? [sounds
like a tall order but...]

We also need to think through the ways of handling security issues - we
do not have any good means to ensure that someone is always available
:-/

    Nigel.


-- 
[ Nigel Metheringham           Nigel.Metheringham@??? ]
[ - Comments in this message are my own and not ITO opinion/policy - ]