Links to bug reporting techniques, tips and tools
After looking at the source of several Debian packages and discovering a lack of concern for security, Steve Kemp began the unofficial Debian GNU/Linux Security Audit Project, reviewing Debian packages for security holes, starting with programs that run with root privileges or that have network access.
(Via advogato.)
Popularity: 33% [?]
The mod_perl site has a very comprehensive guide to debugging mod_perl applications.
Popularity: 44% [?]
Michael Bacarella’s Peon’s Guide To Secure System Development lays out basic guidelines for developing secure software including validating user input, and (controversially) avoiding C/C++.
David A. Wheeler has made an entire book on the subject of secure development, the Secure Programming for Linux and Unix HOWTO, available online. (Via Steve Kemp.)
Popularity: 43% [?]
Reporting a program’s vulnerability to an attack of some kind is a bit different to reporting normal bugs, because public exposure of the vulnerability may cause it to be exploited before the developers can develop a fix. Hence, normal bug reporting procedures, such as making an entry in a project’s public bug database, may not be the best approach. In this case, you may want to approach the vendors or developers privately, even if it goes against their bug reporting guidelines.
CERT’s policy (via SLUG) gives vendors at least 45 days to address a security issue before advising the public. Their Vulnerabilities, Incidents, & Fixes FAQ gives some guidelines for people who have discovered vulnerabilities.
The Organisation for Internet Safety has also issued a document called "Guidelines for Security Vulnerability Reporting and Response Process – V1.0" [780kb PDF file].
Popularity: 58% [?]
The Sydney Linux Users Group’s Debian Special Interest Group (SLUG DebSIG — phew!) has a number of Debian RC Bug Squish days coming up, the first on 13th March 2004.
Popularity: 43% [?]
Mark Howard is developing debbuggtk, a set of graphical applications for interacting with the Debian bug tracking system.
Via tildemh.com.
Popularity: 33% [?]
Malcolm suggests that bug hunters should adopt some of the same face saving techniques described by The Old New Thing that product support people use to avoid embarrassing their customers with obvious questions.
Popularity: 43% [?]
Muli Ben-Yehuda has prepared kernel debugging slides [PDF, 143kb] for a proposed one day workshop on kernel development.
Via mulix.
Popularity: 39% [?]
Isaac Jones has an article explaining how bug fixing is a good path into free software (and a software development career).
Via Debian weekly news.
Popularity: 50% [?]
Evolution, like the GNOME project itself, has regular bug days. The Evolution bug days focus on bug triage: that is, categorising bugs in terms of urgency and importance.
Via the Evolution blog
Popularity: 39% [?]