Debian Security Audit Project

The Debian Security Audit Project is a project which is focused upon auditing Debian packages for security issues.

In the short time it has been running it has been responsible for several Debian Security Advisories proving that this auditing process really works to improve Debian security. It is hoped more advisories will result from future work.

By taking a proactive stance in auditing code we can help to ensure that Debian continues its long history of taking security seriously.

Audit Scope

The aim of the project is to audit as many of the packages within the Debian stable release as possible for potential flaws. Important packages which are contained in the unstable distribution may also be examined for flaws, decreasing the likelihood of insecure packages entering the stable release in the first place.

Due to the sheer size of the current Debian release it is infeasible for a small team to be able to audit all the packages, so there is a system of prioritizing packages which are more security sensitive.

The package prioritization guidelines attempt to ensure that time is spent auditing the packages which matter, and the auditing tools overview shows how some of the available source code scanners may be used to guide an audit.

Previously Released Advisories

For each package which has been found vulnerable to a security problem there will be a DSA released by the Debian Security Team.

For reference there is a list of previous advisories which have resulted directly from the auditing process.

Further Information

Further information on the project may be found in the Security Audit FAQ.