I don't recall it, but it seems like a good idea. I don't have a preference. Perhaps particular project's maintainer? Or perhaps we can (instead of a single person) have a closed-off security discussion list, with a limited number of invite-only participants? Can we do that on gnu.org?
Do you feel like setting this up? On Sun, Jan 14, 2018 at 6:54 PM, Fred Kiefer <fredkie...@gmx.de> wrote: > I remember we talked about this before, maybe at the Dublin meeting. There is > the option to set up GNUstep on scan.coverity.com to have the code > automatically checked for known vulnerabilities. At the time we did discuss > this there wasn’t support for Objective-C but this seems to have been added: > > https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/CWE-CC-Objective-C.pdf > > What are your opinions on this? In the beginning it will require some extra > effort to fix the found weaknesses and somehow to flag the false positives. > And who should be in charge of getting the reports? The idea here is that > only the person registered for the project will get the report to prevent > 0-day issues becoming public too soon. > > Fred > _______________________________________________ > Gnustep-dev mailing list > Gnustep-dev@gnu.org > https://lists.gnu.org/mailman/listinfo/gnustep-dev _______________________________________________ Gnustep-dev mailing list Gnustep-dev@gnu.org https://lists.gnu.org/mailman/listinfo/gnustep-dev
