9.1. Tecniche raccomandate per i controlli sulla sicurezza del software e sulla progettazione di software sicuro
Gli sviluppatori che creano dei pacchetti debian dovrebbero fare del loro meglio per assicurarsi che l'uso o l'installazione del software di cui stanno creando il pacchetto Debian non introduca delle falle di sicurezza sul sistema in cui viene installato e non comporti dei rischi di sicurezza per i suoi utenti.
In order to do so, they should make their best to review the source code of the package and detect any flaws that might introduce security bugs before releasing the software or distributing a new version. It is acknowledged that the cost of fixing bugs grows for different stages of its development, so it is easier (and cheaper) to fix bugs when designing than when the software has been deployed and is in maintenance mode (some studies say that the cost in this later phase is sixty times higher). Although there are some tools that try to automatically detect these flaws, developers should strive to learn about the different kind of security flaws in order to understand them and be able to spot them in the code they (or others) have written.
Some of these issues might not be easy to spot unless you are an expert in the programming language the software uses, but some security problems are easy to detect and fix. For example, finding temporary race conditions due to misuse of temporary directories can easily be done just by running grep -r "/tmp/" .
. Those calls can be reviewed and replace the hardcoded filenames using temporary directories to calls to either mktemp
or tempfile
in shell scripts, File::Temp(3perl) in Perl scripts, or tmpfile(3) in C/C++.
Se dovete pacchettizzare un software sarà bene che vi ricordiate di seguire le più comuni linee guida sulla sicurezza, tra cui: