On Sat, Aug 02, 2003 at 08:58:00PM -0500, Manoj Srivastava wrote: > Given the last review of a setgid program, I wonder if two > people are enough.
Surely two people would be an improvement over the current situation, where there is no review at all. Our demonstration has shown how one person can discover some common flaws with a relatively brief review. This bug and others existed in your package for over four years (and still exist in stable today). We might still not know about it if you had not brought the package to my attention for review. Steve Kemp might have eventually discovered it in the course of his auditing, but I don't know whether he is spending his time on non-free software such as angband. Keep in mind that there are also potentially more than two people interested in this review process. Another person besides myself has already volunteered in just the first day of discussion, and I find this very encouraging. > The mistake was simple, human, and undesrtandable, but the review does > not in fact talk about any flaws in the current version of angband The review, simplistic though it was, uncovered flaws in the package in stable which were overlooked by the maintainer. This kind of situation is often preventable through discussion and code review, as you have seen. I would like to promote this beneficial process within Debian in order to reduce the workload of the security team and the presence of vulnerabilities in our stable releases. -- - mdz
