LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 06-01-2007, 02:53 AM   #1
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Rep: Reputation: Disabled
security policy publication for open-source projects?


I formulated an extensive security policy for a new project of mine which I will be releasing under GPL. Although the code will be open-source, the built-in security will not be readily apparent in the code no matter how well I comment it. Is it a bad idea to make my security policies public? I won't necessarily put line numbers and source files in the reference, but I would like the general foundation to be public to assure users that the application will be safe to run on their system. What is the standard level of security publication for an open-source project? Thanks.
ta0kira
 
Old 06-01-2007, 04:30 AM   #2
stress_junkie
Senior Member
 
Registered: Dec 2005
Location: Massachusetts, USA
Distribution: Ubuntu 10.04 and CentOS 5.5
Posts: 3,873

Rep: Reputation: 331Reputation: 331Reputation: 331Reputation: 331
Security policies and techniques should work equally well whether they are known or not. If security policies are dependent on being hidden then the vulnerability would become apparent when someone figures out what you have done to secure the system.
 
Old 06-01-2007, 02:14 PM   #3
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Original Poster
Rep: Reputation: Disabled
I wrote the policy with publication in mind, and the main reason I'd publish it is to assure users that I've taken certain measures that they might wonder about. I intend for the policy to be as open-source as the software, but was not sure if there was a line which should not be crossed. I'd also like expert opinions to help make it more secure. The project is under development and should be ready for alpha this month sometime, so I'd like to decide what level of detail I should go into with the security explanation. I think I'll write up a web page tonight and see what I have as a start. Thanks.
ta0kira
 
Old 06-01-2007, 05:55 PM   #4
paulsm4
Guru
 
Registered: Mar 2004
Distribution: SusE 8.2
Posts: 5,863
Blog Entries: 1

Rep: Reputation: Disabled
Hi -

Stress_junkie is absolutely correct. And nobody has made this point more often, or more convincingly, than Bruce Schneier. I definitely urge you to read his classic "Secrets and Lies" (assuming you don't already have it on your bookshelf), or check out this article:

http://www.schneier.com/crypto-gram-0205.html#1
 
Old 06-02-2007, 07:44 PM   #5
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Original Poster
Rep: Reputation: Disabled
I was leaning in that direction, I just wanted to make sure. Here it is, although it doesn't make a lot of sense out of context. I haven't released any code yet but I plan to in the next 2 months. Thanks for the advice.
Resourcerver Security Policy

ta0kira
 
Old 06-02-2007, 07:48 PM   #6
PatrickNew
Senior Member
 
Registered: Jan 2006
Location: Charleston, SC, USA
Distribution: Debian, Gentoo, Ubuntu, RHEL
Posts: 1,148
Blog Entries: 1

Rep: Reputation: 48
Keeping your security "secret" won't add any security. If I understand your question correctly, you just want to know if there are any unexpected consequences lurking if you publish? The only consequence I can think of is that the rest of the open-source world has a good example of secure programming - not too bad. Please do publish if you'd like to.
 
Old 06-02-2007, 09:07 PM   #7
ta0kira
Senior Member
 
Registered: Sep 2004
Distribution: FreeBSD 9.1, Kubuntu 12.10
Posts: 3,078

Original Poster
Rep: Reputation: Disabled
Yes, I was worried about something unexpected, but I agree that they can't be much worse than those already invited by going open-source in the first place. Please see the link in my previous post. Thanks.
ta0kira
 
  


Reply

Tags
gpl, library, open source, root login, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Coverity to Regularly Scan Security and Quality of 250 Open Source Projects LXer Syndicated Linux News 0 05-02-2007 12:46 AM
LXer: UK open source policy institute to open next week LXer Syndicated Linux News 0 02-20-2007 02:02 AM
open source projects jaymoney Programming 1 02-04-2007 05:57 PM
LXer: Open Source Vendors and Projects Unite to Form Open Management ... LXer Syndicated Linux News 0 05-09-2006 11:12 PM
Advertising Open Source Projects ipodlinux LQ Suggestions & Feedback 4 12-04-2005 06:41 PM


All times are GMT -5. The time now is 11:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration