[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Miscellaneous things.

Perhaps what would be useful is to have a checklist of items which can be
added to the Makefile (or somewhere in the files directory), which will
then automagically appear in make searches or whatever.  These items would
essentially be things which semantically resolve to "scanned for buffer
overflows", "mktemp's changed to mkstemp's", "configured to run in chroot
purgatory", etc.  This way, the default port would have none of this
configured, but you could from the higher level makefiles run "make
SECURELEVEL=somethingorother" and that would exclude ports without the
required characteristics.


-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
Sent: Friday, September 24, 1999 3:12 PM
To: Marc Espie
Cc: misc@openbsd.org
Subject: Re: Miscellaneous things.

Marc Espie writes:
> On Fri, Sep 24, 1999 at 08:16:34AM -0700, Alex Bochannek wrote:
> > None of these packages came out of /usr/ports.
> Which is just plain WRONG !!!
> Stuff which builds correctly under OpenBSD belongs in port, it's not
> hard to write a Makefile and a packing list, come ON people.

Whoa there!  Before you foam at the mouth :-), better re-read


The security checklist alone
is 16 individual things to watch for and probably alter in your
candidate port.  Eg:

  Any software to be installed as a server should be scanned for
  buffer overflows, especially unsafe use of strcat/strcpy/strcmp/sprintf.
  In general, sprintf should be replaced with snprintf.

The Makefile and packing list is a teensy part of this effort.

Don't get me wrong: I'm all for people doing the work required to
produce ports; I *love* watching people work :-)  But make no mistake
that it takes a talented programmer with the requisite knowledge
and respect for the security and quality issues to do a proper job.
Oh, and the time too.

-bmw   | Double helix in the sky tonight
       | Throw out the hardware
       | Let's do it right   -- Steely Dan; Aja