Re: [gnome-love] Code Auditing as Love

[Dan Mueth <d-mueth uchicago edu>]

On 31 May 2001, Mads Villadsen wrote:

> > > > > > "Jeff" == Jeff Waugh <jdub perkypants org> writes:
>
>  Jeff> Hi all, I was just reading today's LWN front page
>  Jeff> <http://lwn.net/>, and wondered what we were doing to promote
>  Jeff> auditing action on the GNOME code... This is certainly
>  Jeff> something that budding hackers can contribute to - even lodging
>  Jeff> bugs about suspicious code would be very helpful.
>
>  Jeff> Perhaps we should have an Amazing Auditing Dude award of the
>  Jeff> week, published in the GNOME summaries? It's very important for
>  Jeff> new contributors to feel known and welcome, and I think this
>  Jeff> would be a good way to highlight some tough work being done.
>
>  Jeff> [ The tough part of this is that auditing is a
>  Jeff> difficult-to-quanitfy task.  Perhaps some of the 'elders' could
>  Jeff> recommend interesting ways of getting into this. ]
>
> I just read the same thing, and I was actually thinking about this as
> well.
>
> This would be a nice way to get to know the code to a certain
> program. What I think is needed is some sort of check list with common
> errors (not deallocating memory, using insecure temp files, etc.), and
> links to tools that can help (such as memprof, etc.).
>
> I myself have no experience in doing this, so I can't provide the
> list, but hopefully others can.

This sort of a document would be a great starting place.  I guess the
first thing that must be done is research on the web as to whether such a
document already exists.  Anybody can do this - you don't need experience
with code auditing.  Once we know what is out there, we can decide whether
to use the existing documentation or to adapt and improve on it for GNOME.

I think this is a fine place for somebody who is looking for a task to
contribute.

BTW: This would not only be helpful for people auditing code, but would be
valuable to hackers who want to avoid the most common pitfalls in their
code.

Dan