* Christian Kurz ([EMAIL PROTECTED]) [001107 00:03]: > [Changed Reply-To to point to the right list]
Not so sure about that. I do NOT want the security issues to be an issue for the super advanced/paranoid/freaked-out-ones/security-aware ones. That is part of the idear. So I do not want the diskussion going on in some remote mailinglist but for everyone to see and read. If we do not get the idear across to lots of people, we will not win anything. todays volume of our distrubution is out of hand. we have 4000 packages and are not enough (all developers that is, not just the ones reading debian-security) to look over our source in any time soon. And numbers get worse, if people are not educated. > This won't be possible as you need a lot of knowledge about security and > programming to do a real audit. It's not enough to have knowledge about > security only or programming only, but it's the combination of both > knowledges that allows you to do audits. We are running debian and most of us speaks at least one programming language. I guess within the last 3 to 5 years you have learnd things you were not even aware they existed. It is a continous process and why should it stopp at secure programming? > Why don't you ask for help on this on security-audit? This list was > originally created for doing audits of unix tools and is seldom used. > (You should know this. :) I should, I am subscribed there. I also see how much progress is made. the majority of the mails form the last two weeks were of topic and about the brake in at Microsoft. I guess it were 10 Mails alltogether. You get my point? I think, the long term perspective must be to have some AI (yes, SciFi) doing the simple audits. There is no other way to manage nowerdays amounts of code. We (that is: you; I just started) have acomplished a lot; why not invest some brains in a way to do better automated audits?
