On Sun, May 25, 2003 at 04:09:51PM +1000, Russell Coker wrote: > On Sun, 25 May 2003 15:11, Matt Zimmerman wrote: > > This approach does not scale. I cannot personally review the diffs for > > every upstream release of all the software in Debian, nor can any other > > individual or even a small group. > > It does not scale to all software in Debian. But most software does not > need much in the way of security auditing.
Any software that a user interacts with is trusted to some extent, and could contain significant vulnerabilities. We rely on external sources for this information, such as upstream authors, individual security researchers and organizations. > A small group of people could review all kernel patches that make it into > the official tree. Of course getting even a small group of people who > have the skill to do such work properly and the time to do it continually > may not be easy. Indeed, it would be even more difficult to find people who would be willing to waste time searching for things that others discarded, apparently knowing that they were important. I certainly don't want that job. -- - mdz
