On Thu, 2007-11-01 at 12:15 -0600, Boyd Lynn Gerber wrote:
Interesting view from the inside :). I can imagine that devs don't have time for a full fledged security audit (reviewing all code manually). And I don't think this is necessary, correct me if I am wrong. Are your only experienced with 'BSD or also with Gentoo/Debian?
All the various *BSD's and Debian, a little Gentoo, but mainly SUSE. A audit is necessary for C2. It even requires the HW to be auditted. The cert is for exactly the system.
You mean 'Trusted Computer System Evaluation Criteria' ( http://en.wikipedia.org/wiki/TCSEC )? I didn't know that one. Is actually used outside the army?