Re: [Exim-dev] Security & Development issues

Top Page
Delete this message
Reply to this message
Author: Richard Welty
Date:  
To: exim-dev
Subject: Re: [Exim-dev] Security & Development issues
On Wed, 10 Mar 2004 15:46:10 +0000 Yann Golanski <yann@???> wrote:
> Quoth Nigel Metheringham on Wed, Mar 10, 2004 at 14:11:59 +0000


> >       * No matter how good we are, exim *will* have security issues.
> >       * We need to have processes to:-
> >               * Inspect committed code for security issues


> I think there are some document (OpenBSD?) that define how to avoid most
> of C "nasty" functions. Of course, attracting someone who knows about
> those security things would be good too.


the OpenBSD model of auditing code is good to consider. additionally,
they've defined new string functions to replace the stock C ones that
are much less error prone; it may be that at some point it'd be worthwhile
to sweep through and do that conversion. i know that they killed a lot of
bugs in the course of making those changes in OpenBSD.

> >               * Ensure released code is not compromised
> >               * Accept security reports in a timely fashion
> >               * Engineer security fixes without (if possible) giving
> >                 those who might attack vulnerable installations an
> >                 advance attack period.


> I think that if we have a security officer or some such this should be
> easily done. It does not have to be the head developer but someone else
> in charge.


this requires someone with some seriously good judgement. again,
going back to the OpenBSD situation, when the nasty integer
overflow bug was found in OpenSSH last year, they did about as
good a job as was possible at getting thing squared away -- but
it was a very tricky situation, and some are still giving the OpenBSD
team a lot of flack over the handling of it.

> > We also need to think through the ways of handling security issues - we
> > do not have any good means to ensure that someone is always available
> > :-/


> Apart from a security (invite only?) list, I don't see how this can be
> done. All of us have work and other commitment and can't spend the time
> Phil is spending on Exim.


a restricted subset of the development list, a "security" committee, may
well be the way to go.

richard
-- 
Richard Welty                                         rwelty@???
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security