Re: code review CVS

[Vincent Danen <vdanen () linsec ca>]

* [2008-02-18 10:28:36 +0100] Sebastian Krahmer wrote:

> > > From my view it would be helpful to have some forum/CVS or whatever
> where code reviewers can submit the code they already audited along
> with remarks/exploits/patches etc.
> So everyone can match this against the version of the OSS project.
> In an ideal case their latest released version equals the
> version in the review CVS. It saves also the time to review
> files again which didnt change during versions.

This is an intriguing idea, but I wonder if a version control system is
actually required, or if we could use the wiki itself for something like
this.

A code checkin of audited source might be nice for "pristine" code
purposes, but then we almost duplicate an author's scm system.

Would not a simple list of software be sufficient?  For instance,
something that listed:

- software name
- audited version
- audit date
- who did the audit
- results of the audit (links to patches, whatever)

Most authors keep old packages kicking around, so I don't think we need
an scm for this.  I mean, if you review foo-1.1 and it's ok, and someone
indicates a vuln in foo-1.3, then one could easily download both foo-1.1
and foo-1.3 and just do a diff to see what's changed, right?

Or do I miss something where a scm would be really valuable?

--
Vincent Danen @ http://linsec.ca/

Attachment: _bin
Description: