Hi,
We recently ran Coverity, a static source analysis tool, against OpenSSL
0.9.7 and 0.9.8. We found a number of problems such as the potential to
access null pointers, lack of error checking on return codes, etc.
There are in the neighborhood of 25 errors that we considered worth fixing.
Would you like us to contribute these fixes back to the project?
Yes.
If so,
what would be the best format for submitting them?
Coverity report itself by all means preferred, as more eyeballs on
deciding on what's worth fixing and in which branch is better. If
disclosure on public list such as openssl-dev is not appropriate, send
it to openssl-team.
Would you like the diffs or raw sources?
See "HOW TO CONTRIBUTE TO OpenSSL" paragraph in ./README for formalized
description.
Also, which branch would be best?
The normal workflow goes as following: 1. HEAD [see
http://www.openssl.org/source/repos.html], 2. backport to released
versions. Backports to 0.9.8 are currently very common, while backports
to 0.9.7 are rather rare. Meaning that HEAD is by all means preferred,
but as long as we're not talking about changed functionality or new
features, 0.9.8 is OK for the moment, as it has not diverged too much. A.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
