[Safer-hacking]Let's do something

[Werner Koch]

Hi,

I think this is the first mail on this list and I just want to kick
off a discussion.  At Erlangen we planned to do some discussion on:

  1. A document about safer ways of writing code
  
  2. An enhancement to the GNU coding standards
  
  3. Make sure that the use of gets() etc. will be flagged as
     error by the compiler (e.g. with -Wall).
  
  4. Start a project to audit important code; at least everyting
     needed to have a minimal system.
    

1) A document about safer ways of writing code
----------------------------------------------
There are already a few documents on how to do safe programming:
One is the 

  Secure Programming for Linux HOWTO
  David A. Wheeler, address@hidden
  v1.20, 23 December 1999
  
which is GPLed and therefore usable as a starting point.  I did have
only a short look at it.

The second one is the paper at SecurityFocus:

  http://www.securityfocus.com/forums/secprog/secure-programming.html
  
There is no copyright mentioned. They also run a mailing list.  

The GNOME folks do also have some hints in their coding guidelines
which are available simewhere at http://developer.gnome.org.

OpenBSD probably has also some stuff.


2) An enhancement to the GNU coding standards
---------------------------------------------
For the GNU coding standards we should write up a short summary of
what is considered a safer way of coding and strongly suggest to
read more stuff about this (with a list of good books and other
documents)


3) Help by the Compiler
-----------------------
Contact the gcc and the various C library maintainers to aks them to
enable all the important warnings by default or better make the an
error and add a way to override this.


4) Audit project
----------------
We talked about an audit project in lengths - so here is place to
continue.



Ciao,

  Werner