On Wed, 2013-12-18 at 10:37 -0500, Dave Jones wrote:
> On Wed, Dec 18, 2013 at 09:12:06AM +0100, Ondrej Vasik wrote:
>
> > Publishing them is a bit tricky - I can of course publish them (we scan
> > with cppcheck, enhanced gcc warnings, clang and coverity) - but the
> > reports may contain some attack vectors - and for inactive packages, it
> > would only show the doors to attackers.
>
> Then it's a good thing that attackers don't have any money and can't afford
> to buy a checker license themselves.
>
> Hiding bugs doesn't make them go away, and pretending we have tools bad people
> don't is a fallacy.
Yes, many of them have, many of them use these tools, many of them have
their own ones... I'm not trying to pretend that they don't have them -
but why to lower the bar? Many teenagers experiment with computer
viruses and cracking, and they obviously don't have the money but have
plenty of time - which is the key when walking through the reports from
large projects - it could be playground for such kiddies.
With publishing the reports, you basically FORCE the upstream to work on
it - and some upstreams are already busy enough with huge patch-review
backlog.
Average density of code defect is ~1k loc/defect, so you can easily find
out that we have around 150k defects to analyze only in RHEL packages -
aproximately 4x more in the C/C++ rest of Fedora. With ~5 minutes per
defect... it is not for one or few persons. And analyzing security
impact of some buffer overflows - this is not 5 minute job - so you
don't know if the fix requires the CVE or not.
I'm afraid it would only make the things screwed up. Giving some tool to
make the analyzers use easier for everyone, that's IMHO the right way.
Greetings,
Ondrej Vasik
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
