Mailing List Archive

the Gentoo Audit project and dev-util/splint
Hello list,

I was wondering if I could get peoples' opinions of dev-util/splint
(the Secure Programming Lint) [1], and specifically in the context of
development on Gentoo -- if you've used this tool before and if you
did or didn't find it useful?

I noticed it wasn't listed as a source code audit aid on the Gentoo
Audit project page [2]. Is there a specific reason for this or was
simply an oversight? I wouldn't mind contributing a brief paragraph or
so on the subject.

( I apologize if this is off topic for gentoo-security, I noticed this
list is rather low-traffic... )

[1] http://packages.gentoo.org/package/dev-util/splint?full_cat
[2] http://www.gentoo.org/proj/en/security/audit.xml

--
Mansour Moufid
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x95BBC25F
Re: the Gentoo Audit project and dev-util/splint [ In reply to ]
On Thursday 04 June 2009, Mansour Moufid wrote:
> Hello list,
>
> I was wondering if I could get peoples' opinions of dev-util/splint
> (the Secure Programming Lint) [1], and specifically in the context of
> development on Gentoo -- if you've used this tool before and if you
> did or didn't find it useful?
>
> I noticed it wasn't listed as a source code audit aid on the Gentoo
> Audit project page [2]. Is there a specific reason for this or was
> simply an oversight? I wouldn't mind contributing a brief paragraph
> or so on the subject.

Hi Mansour,

I will add the item to the list -- the other tools do not have any
description either.
However note that the Auditing project is currently in a sleeping state.
No one is auditing code in the tree for new vulnerabilities (at least
not as part of the project). If you have an interest in this subject
and would like to participate in reviving the project, that would be
great. It can be a way to become a Gentoo developer and participate in
a great community, and to cooperate with others in the Security project
and other vendors. But keep in mind there is a certain amount of work
that comes with this.


Robert
Re: the Gentoo Audit project and dev-util/splint [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jun 4, 2009 at 6:58 AM, Robert Buchholz<rbu@gentoo.org> wrote:
> However note that the Auditing project is currently in a sleeping state.
> No one is auditing code in the tree for new vulnerabilities (at least
> not as part of the project).

That's a shame. I get the impression Gentoo is geared toward the
security crowd, or rather, more so than other distributions I've come
across.

> If you have an interest in this subject
> and would like to participate in reviving the project, that would be
> great. It can be a way to become a Gentoo developer and participate in
> a great community, and to cooperate with others in the Security project
> and other vendors.

Yes, exactly. This is the type of project I've been looking to get
involved in anyway, so it made sense to try to do so within the
framework of Gentoo. : )

> But keep in mind there is a certain amount of work that comes with this.

How much time would members typically put in, say, per week? I imagine
it's difficult to estimate an 'average' -- since most of the time
spent is probably in actually reviewing source code -- but I'm looking
forward to contributing a decent number of hours a week as part of
this project. Effort is certainly no deterrent.

- --
Mansour Moufid
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x95BBC25F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.5)

iEYEARECAAYFAkowGLUACgkQ83JwsZW7wl+FbgCfUREih6vKiNtVvRIGrO02BCB9
VnoAoIJ/r7h4uzdEO/v3WPVQ17rKX9Cx
=1Kdq
-----END PGP SIGNATURE-----
Re: the Gentoo Audit project and dev-util/splint [ In reply to ]
Hello Mansour,

On Wednesday 10 June 2009, Mansour Moufid wrote:
> > But keep in mind there is a certain amount of work that comes with
> > this.
>
> How much time would members typically put in, say, per week? I
> imagine it's difficult to estimate an 'average' -- since most of the
> time spent is probably in actually reviewing source code -- but I'm
> looking forward to contributing a decent number of hours a week as
> part of this project. Effort is certainly no deterrent.

As with most oss projects, you put in the amount of time you are
comfortable with. There's usually more items on the TODO stack than you
can handle anyway, so you either let it rest for a few days/weeks when
you are busy, or work off large chunks when you have some time to burn.

To get you started, I would suggest you look for tasks that sound
interesting. There are several bugs that need attention. Some of them
are in the "Gentoo Security/Audit" section of Bugzilla. Mondo-rescue's
latest version needs to be looked at, for example:
https://bugs.gentoo.org/show_bug.cgi?id=106497

There is a list of packages bundling libraries. Some of these might have
security impact:
https://bugs.gentoo.org/showdependencytree.cgi?id=251464

There's also some of the "Gentoo Security/Vulnerabilities" bugs that
need attention. If you're seeking to discover new vulnerabilities
instead of working on details of existing bugs, can literally start
anywhere you like.

Contact us in IRC or via Jabber if you need assistance.

Robert