Slashdot Mirror


DARPA-Funded Linux Security Hub Withers

mAriuZ writes "Initially funded by a grant from the Pentagon's DARPA, the Sardonix project aspired to replace the Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up."

7 of 281 comments (clear)

  1. never heard of it! by Anonymous Coward · · Score: 5, Interesting

    Well, maybe they needed a little more exposure, eh?

    I'm a sysadmin that secures plenty of mission-critical Linux (and FreeBSD) boxes, and I *thought* I kept on top of all the security news, I'd never heard of this project!

    Oh well! Try try again...

  2. Thankless task indeed . . . by Mysteray · · Score: 5, Interesting
    Two years after its hopeful launch, a U.S.-backed research project aimed at drawing skilled eyeballs to the thankless task of open-source security auditing is prepared to throw in the towel.

    It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.

    Interestingly, the OpenBSD project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?

  3. No reason to play the NSA game... by Saeed+al-Sahaf · · Score: 4, Interesting
    As conceived by Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. ... In the end, though, nobody showed up.

    Perhaps this is because for most of the (incredibly smart) people who make contributions to Linux kernel development, it's not about points? Now if they had attached MONEY value to those points, maybe the result would have been different; I mean at least SOME motivation to play the NSA game.

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  4. If a project falls.... by RedLeg · · Score: 4, Interesting
    If a project fails, and nobody's ever even heard of it, has it really failed?

    I know Crispin Cowan personally, and I have never heard of this project! Maybe some of the DARPA funding should have gone to advertising, publicity, or (God forbid) Marketing?

  5. Securityfocus batting .500 by AndroidCat · · Score: 5, Interesting
    I guess they couldn't decide how to spell Cris Cowan/Cowen's last name so they alternated.

    They should have a volunteer review process to catch spelling mistakes...

    --
    One line blog. I hear that they're called Twitters now.
  6. Re:Too low profile by AndroidCat · · Score: 4, Interesting

    Perhaps the seven responses to the original story should have been a tipoff that raising visibility of the project would have been a good idea. (Of course, that would have risked coming on too strong.)

    --
    One line blog. I hear that they're called Twitters now.
  7. It never helped me get started by bluGill · · Score: 4, Interesting

    I visited the site a few times, but didn't see anything to help me get started. Just some "we need to get project X reviewed". Then a complex point system that sounded motivating, but didn't do anything.

    I just wanted to get started. All they said was "read this code and look for problems". No duh, but how about some examples. Some help. I'd learn much more if 30 people read one file, each commented on it, and I could read them all. Once I learn to think of everything 30 people think of (who have expirence reading code) I'll do some more on my own. Nothing gets me started though. I'm an okay programer (better than most really, but that isn't saying much considering the typical programer I've seen), and I need to learn how to do this. How do expert code reviewers think?

    I just got back from wineconf, Alexander personally reads every single line that is commited to Wine. I know it can be done, but I need expirence before I could possibly do that, and noone bootstraps me to get the expirence.

    I understand this is a hard thing. I've developed before, and I can't document my code any better than anyone else. They made it their stated goal to help me, but then never did anything useful.