Securing the server source
Saturday, March 31st, 2007There hasn't been a security problem with the server in over a year (barely). That's good, but we'd like it to be better. Therefore, we've started working with Coverity, makers of source code analysis tools. They host an open source scanning site, and have recently added FreeRADIUS to the mix.
The announcement came as part of their one-year anniversary of scanning open source projects. The bad news is that they found bugs, which is not entirely surprising. The good news is that none of the bugs have security implications, and that we're working on fixing all of them.
The goal is to have Coverity show a scan result of zero bugs before 1.1.6 is released. We'd like to get a “pre-scan” of 2.0, so that it also has zero bugs. This doesn't mean that the server will be bug-free, as there may still be logic errors in the code. What it does mean is that there should be no security bugs in the server.