[gnessus-discuss] Contributions (fwd)

Tim Brown timb at gnessus.org
Wed Nov 2 20:08:37 CET 2005


On Wed, 2 Nov 2005, Robert Rich wrote:

> Robert Berkowitz wrote:
>
>> I dont think we should publish anything that we deem to be of poor
>> quality.
>>
> I don't think there's anything wrong with it as long as people know what
> they are getting.  If a plugin is poor quality, it actually needs to be
> published so people can test and fix it.  I think the 'bleeding' snort
> issue actually raises a slightly different question: should the project
> publish anything that is of unknown quality?  Again, i say yes, but i
> again think people have to know what they are getting.  Nessus has
> always been our tool of choice because of how rapidly it adapts to new
> vulnerabilities.  However, i must admit that we aren't always positive
> of the amount of testing that the plugins have had before they are
> released into the feed, and have certainly been burned in the past.  If
> i knew that 128 of the 9.5k plugins were 'UNTESTED' or something like
> that, i could apply more scruitiny to how they operate, test them, and
> be more selective about what types of assets i direct them towards.
>
> This may be out there a bit, but it's something i've been mulling over
> for a while: pluginforge.  Why not raise each plugin to the status of a
> mini development project?  They all certainly have their own lifecycle,
> reliability, bugs, etc..   Look at the list of 'metadata' tracked by
> source forge on some random project:

Interesting thought, but with thousands of plugins it might be a bit too 
far.  There is certainly scope for doing a more stuctured plugin feed 
though.  I'm actually registering an OpenVAS OID right now, so we can 
avoid the Tenable plugin namespace.  I like the idea of a debian style 
plugin system, with stable, unstable, testing... with perhaps specialised 
repositories for people who are "subject experts".  if you're not too busy 
maybe come and join us on #openvas at irc.oftc.net since we're talking about 
exactly these points.

Cheers,
TIm
-- 
Tim Brown, GNessUs
<mailto:timb at gnessus.org>
<http://www.gnessus.org/>



More information about the Openvas-discuss mailing list