Re: PSA: If you are C/C++ developer, use cppcheck

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2013-12-18 at 19:00 +0100, Reindl Harald wrote:
> Am 18.12.2013 18:54, schrieb Ondrej Vasik:
> > On Wed, 2013-12-18 at 16:47 +0100, Reindl Harald wrote:
> >> Am 18.12.2013 16:37, schrieb Dave Jones:
> >>> On Wed, Dec 18, 2013 at 09:12:06AM +0100, Ondrej Vasik wrote:
> >>>
> >>>  > Publishing them is a bit tricky - I can of course publish them (we scan
> >>>  > with cppcheck, enhanced gcc warnings, clang and coverity) - but the
> >>>  > reports may contain some attack vectors - and for inactive packages, it
> >>>  > would only show the doors to attackers.
> >>>
> >>> Then it's a good thing that attackers don't have any money and can't afford
> >>> to buy a checker license themselves.
> >>>
> >>> Hiding bugs doesn't make them go away, and pretending we have tools bad people
> >>> don't is a fallacy.
> >>
> >> +1
> >>
> >> and only if security problems are public makes enough pressure
> >> for too many developers to care about them - and before someone
> >> says "and they may still not care about them", well, than you
> >> know which piece of software should be replaced next instead
> >> other working pieces
> >>
> >> seucrity by obscurity is dumb, did never work and will never work
> > 
> > Btw. you can check how it worked for the project where both RH and
> > upstream were WILLING to work on the report and published it on wiki -
> > net-snmp example is at
> > http://www.net-snmp.org/wiki/index.php/5.7.1_Coverity_scan - even after
> > 2 years, there are some groups unchecked (although the most critical
> > ones were analyzed and fixed/commented in ~1 year)
> 
> well, does *not* sound like upstream is *really* willing
> otherwise it would have been fixed
> 
> and yes i have worked with upstream-developers where the reaction
> after a coverity scan was this while *one day* after i pointed
> out that cobverity exists at all the first commit landed
> 
> http://git.dbmail.eu/paul/dbmail/log/?qt=grep&q=coverity

Ok, so we have some upstreams where noone will look for years, we have
some upstreams, who can fix the report within one day, we have some
upstreams where it will take several months or years.
If you check the net-snmp, there was ~160 issues fixed based on this
report - in your case, the difference is ~+200/-150 loc in ~1 month
timeframe - this is probably doable if it doesn't involve design changes
to fix some issues. 

I'm completely for sharing the output of the scans with upstreams - and
many upstreams were contacted by Red Hat guys (many times with patches)-
however having such report concentrated on one place is not a good idea.

Btw. publishing security hole (as you suggested in one of your previous
emails) is one of the worst things you can do. Private emails to
upstream or some security distribution lists is much better idea in such
cases (imagine a hole e.g. httpd/bind - and the maintainer on PTO/sick
leave).

Ondrej

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux