On Tue, 28 Jun 2011, Shawn H Corey wrote:
> On 11-06-28 11:33 AM, Robert P. J. Day wrote:
> > see my last post. i'm becoming increasingly convinced that simple
> > access to the entire current code base isn't*remotely* as important
> > as access to the entire version control log. and that's what i think
> > i'll emphasize.
>
> It does not necessarily follow that security breaches will be
> properly commented in the version-control log. In fact, if they
> were clever, they would make false and misleading comments about the
> changes they made. :)
don't worry, i can see your smiley face there. of course security
breaches won't be commented thusly (ah, if only crackers were so
accommodating), but given a decent revision control system, it would
be trivial to, you know, "git diff" or "git log" to check the changes
isolated to security-related parts of the code base.
one need not examine the entire code base, only those parts that
a) have clearly changed lately, and b) have something to do with
security. and a decent revision control system would make that
amazingly easy.
rday
--
========================================================================
Robert P. J. Day Ottawa, Ontario, CANADA
http://crashcourse.ca
Twitter: http://twitter.com/rpjday
LinkedIn: http://ca.linkedin.com/in/rpjday
========================================================================