[Kde-pim] KDE-PIM Security R&D
Volker Krause
vkrause at kde.org
Tue Jan 22 11:29:04 GMT 2008
On Tuesday 22 January 2008 08:45:06 Tobias Koenig wrote:
> On Tue, Jan 22, 2008 at 12:34:59AM -0600, Derek Ditch wrote:
> > I suggested KDE4 as a possible project. Obviously KDE4 is a large
> > set of code, so we narrowed it down to KDE-PIM. Specifically I think
> > we may look at Akonadi. I'm the advocate, so I'm gathering
> > information.
> >
> > My question is if you feel Akonadi is a good candidate for this class.
> > Some of the specifications are the impact of security (how
> > widespread/how critical), scope of the project (lines of code, release
> > cycle) and potential for vulnerabilities (or the amount of impact we
> > could have on the project).
>
> Hmm, as Akonadi is running as a user process only where nobody else
> except the user has access to (protected by the operating system), I'm
> not sure whether it is the right candidate.
>
> Maybe the resources/agents, which access groupware servers could be
> checked for security.
I actually think Akonadi is a very good choice for that. It handles arbitrary
data that is send to you by basically anyone without requiring explicit
action of you, so a possible security issue would be extremely easy to
exploit. Making sure that we handle external data safely is IMHO very
important and is needed for all involved components. Any help in that area is
of course very welcome.
> > Also, of course, a very important factor is willingness of the
> > community to use our fixes.
>
> Fixes are always welcome :)
>
> > I've worked with several small KDE projects in the past, and the last
> > item has never been a problem. I've found KDE teams to be very open
> > to outside help. Last semester my team did a bit of work on ViewVC
> > and the project members didn't seem to be too interested in our work.
> >
> :(
> :
> > So do you think Akonadi is a good pick, or could you suggest something
> > that be more applicable given the guidelines above?
>
> At least you could take a look at Akonadi and tell us whether it has
> some problems that could be used by attackers somehow.
>
> Could you give an overview of the types of security issues you are
> looking for?
regards
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-pim/attachments/20080122/0608fdfc/attachment.sig>
-------------- next part --------------
_______________________________________________
KDE PIM mailing list kde-pim at kde.org
https://mail.kde.org/mailman/listinfo/kde-pim
KDE PIM home page at http://pim.kde.org/
More information about the kde-pim
mailing list