On Monday 30 July 2007 00:22, Dan Langille wrote: > On 28 Jul 2007 at 23:44, Kern Sibbald wrote: > > > On Saturday 28 July 2007 20:42, Dan Langille wrote: > > > Coverity [http://www.coverity.com/] offers a bug checking service > > > free to qualifying projects. I have known their Open Source contact, > > > David Maxwell for several years. At OSCON, he offered this service > > > to the Bacula project. > > > > > > What we get out of it is better code. The Coverity scan will > > > highlight [possible] bugs. I'll find out more details and report > > > back. > > > > Thanks. Through their web site, something like six or nine months ago, I > > requested that they scan our code -- however I never got an answer, so if you > > are able to make it happen, great ! > > Those interested, should read: > > http://scan.coverity.com/ > http://scan.coverity.com/about.html > http://scan.coverity.com/faq.html > http://scan.coverity.com/policy.html
Some years ago a kind user ran a security check on Bacula with some standard Unix tools. It pulled out a couple of interesting problems (and I changed my presonal and Bacula programming rules accordingly), but there was a *huge* mass of things that it pulled out that were not at all errors or security problems in Bacula because it either wasn't smart enough (e.g. all Bacula allocated MEMPOOL buffers are at least 100 bytes long so a strcpy of something 4 bytes long does not really need to be a strncpy) or it didn't know that the underlying Bacula libraries are much safer than the normal system libraries -- e.g. the glibc printf(buf) is dangerous if the user can enter any part of the info in buf, while in Bacula it is perfectly safe (we have our own printf) and the stack cannot be overwritten. Hopefully the tools that coverity have are more sophisticated so that we don't have to spend too much time correcting problems that don't really exist. Regards, Kern > > -- > Dan Langille - http://www.langille.org/ > Available for hire: http://www.freebsddiary.org/dan_langille.php > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Bacula-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/bacula-devel > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Bacula-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/bacula-devel
