Am 18.12.2013 18:54, schrieb Ondrej Vasik: > On Wed, 2013-12-18 at 16:47 +0100, Reindl Harald wrote: >> Am 18.12.2013 16:37, schrieb Dave Jones: >>> On Wed, Dec 18, 2013 at 09:12:06AM +0100, Ondrej Vasik wrote: >>> >>> > Publishing them is a bit tricky - I can of course publish them (we scan >>> > with cppcheck, enhanced gcc warnings, clang and coverity) - but the >>> > reports may contain some attack vectors - and for inactive packages, it >>> > would only show the doors to attackers. >>> >>> Then it's a good thing that attackers don't have any money and can't afford >>> to buy a checker license themselves. >>> >>> Hiding bugs doesn't make them go away, and pretending we have tools bad people >>> don't is a fallacy. >> >> +1 >> >> and only if security problems are public makes enough pressure >> for too many developers to care about them - and before someone >> says "and they may still not care about them", well, than you >> know which piece of software should be replaced next instead >> other working pieces >> >> seucrity by obscurity is dumb, did never work and will never work > > Btw. you can check how it worked for the project where both RH and > upstream were WILLING to work on the report and published it on wiki - > net-snmp example is at > http://www.net-snmp.org/wiki/index.php/5.7.1_Coverity_scan - even after > 2 years, there are some groups unchecked (although the most critical > ones were analyzed and fixed/commented in ~1 year) well, does *not* sound like upstream is *really* willing otherwise it would have been fixed and yes i have worked with upstream-developers where the reaction after a coverity scan was this while *one day* after i pointed out that cobverity exists at all the first commit landed http://git.dbmail.eu/paul/dbmail/log/?qt=grep&q=coverity
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
