On Tue, 24 Apr 2018 11:54:34 -0400 "William L. Thomson Jr." <wlt...@obsidian-studios.com> wrote: > > Coverity's stance is you may use their product to find exploits and do > bad stuff. It is a stupid futile argument. Given the fact there are > alternatives which will do the same. Not like their tool is really a > security tool. Its a futile stupid argument. We have limited resources > is much more believable and understandable. .... > Yes SonarSource also has a product for sale, but being part of FOSS > themselves, they have a clue. Thus do not have stupid policies like... > https://scan.coverity.com/faq#who-can-have-access
Per that FAQ, using OpenRC and Pinetry as examples. Both those could have exploitable security vulnerabilities. That maybe Coverity would have revealed. By Coverity denying me or anyone such scans, those cannot be shown to project developers. Who themselves for what ever reason have chosen to not use Coverity. Those potential security issues remain and no one is working on fixing them, or aware of them. If there are legit existing security issues revealed by a Coverity scan. Thus Coverity's entire argument about not approving scans to general public, or making scan results accessible due to security issues. I find a futile argument. Yes it may not show those for others to exploit. It is also not showing for anyone to fix. If someone comes across it, and exploits it. Others are short on luck.... If even aware! Yet anyone could still use other things like clang's scan-build, Sonar, or their own analysis to find exploits and exploit them. Coverity is not like an end al, be all,l to finding and fixing all security issues. I haven't really seen Coverity present something as a security issue. It was mostly memory not being free'd etc. I do not consider Coverity a security tool, and not sure anyone considers static analyzers tools for security auditing. Furthermore, this is what GnuPG dev was talking about... "Since projects that do not resolve their outstanding defects are leaving their users exposed to the consequences of those flaws, Synopsys will work to encourage a project to resolve all of their defects. Synopsys may set a deadline for the publication of all the analysis results for a project. " " In order to push for those issues to be resolved, in the same spirit as the individual issue disclosure policies, Synopsys may set planned publication dates for the full analysis results of a project. Projects may negotiate with us about the date, if they are making progress on resolving the outstanding issues. " Now they are going to set a deadline for when a defect they found should be shown for a FOSS project? Who does Coverity think they are? What if it is not fixed? Isn't that their entire argument for not showing the genera public? Coverity seems to want to run the show... Can you start to see why I do dislike Coverity? For the little benefit, they seem like their product is better than it is. Does something that it really does not. Then force users to act on things they feel are of importance... Comply with their policies, ignoring a projects own policies. Which did not work for GnuPG... Thus Coverity is not used, and any issues remain in GnuPG... Wonderful! Thanks Coverity! Coverity is so bad, their link on FAQ to Wikipedia does not even exist https://en.wikipedia.org/wiki/Full_disclosure I assume they were trying to link to this... https://en.wikipedia.org/wiki/Full_disclosure_(computer_security) Most any gripe I have with Coverity is legit, and nothing to do with me personally. Or any of my projects, etc. It is Coverity's own policies and practices which are not friendly to quite many FOSS projects and developers. -- William L. Thomson Jr.
pgpZst1vyA6c7.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
