Re: [libvirt] How about fuzz testing on oss-fuzz?
On Tue, May 09, 2017 at 11:12:24AM +0200, Michal Privoznik wrote: > On 05/09/2017 11:01 AM, Daniel P. Berrange wrote: > > On Fri, Mar 31, 2017 at 10:23:33AM +0200, Peter Krempa wrote: > >> On Fri, Mar 31, 2017 at 03:57:41 -0400, Dan wrote: > >>> Hi all, > >>> > >>> I have seen libxml2 has already been added as a project in oss-fuzz [1]. > >>> Any idea about libvirt? While we could do our own fuzzing of some form, do > >>> we want to also try it out using google's free resource? > >> > >> The oss-fuzz project requires you to integrate the project with > >> the libfuzz fuzzer in the first place so you have to make it run locally > >> first anyways. > >> > >> Doing it on the oss-fuzz project is still the step after that. > > > > FYI, google is now offering rewards to projects that integrate > > with oss-fuzz > > > > "To qualify for these rewards, a project needs to have a large > >user base and/or be critical to global IT infrastructure. > >Eligible projects will receive $1,000 for initial integration, > >and up to $20,000 for ideal integration (the final amount is > >at our discretion). You have the option of donating these > >rewards to charity instead, and Google will double the amount." > > > > I'd like to think libvirt qualifies under "large user base" and > > "critical to global IT" given prevelance of the cloud these days, > > but no guarantees > > > > > > https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html > > Right. I've read this on G+ during the weekend. And now that we have > accepted a student for the fuzzing GSoC project, we can work towards > that goal. > > > > > Not that libvirt really has any current need for monetary funds. If it ever > > came to pass, we could just have a poll amongst active contributors to > > vote on suggestions of what todo with it (donate it, spend it, fund > > something, > > etc). > > I don't know any details, but I know from the past that receiving money > for orgs wasn't trivial (at least for GSoC). We had to have an law > entity that covers the project. Since there was none, we donated our > mentor money to Tor foundation. But it has changed a while ago (again, > at least for GSoC), so maybe we are eligible to receive money after all. Yep, just telling Google to donate it directly to a charity of our choosing would probably end up being the simplest option from a legal pov, as it would avoid us handling it at all. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] How about fuzz testing on oss-fuzz?
On 05/09/2017 11:01 AM, Daniel P. Berrange wrote: > On Fri, Mar 31, 2017 at 10:23:33AM +0200, Peter Krempa wrote: >> On Fri, Mar 31, 2017 at 03:57:41 -0400, Dan wrote: >>> Hi all, >>> >>> I have seen libxml2 has already been added as a project in oss-fuzz [1]. >>> Any idea about libvirt? While we could do our own fuzzing of some form, do >>> we want to also try it out using google's free resource? >> >> The oss-fuzz project requires you to integrate the project with >> the libfuzz fuzzer in the first place so you have to make it run locally >> first anyways. >> >> Doing it on the oss-fuzz project is still the step after that. > > FYI, google is now offering rewards to projects that integrate > with oss-fuzz > > "To qualify for these rewards, a project needs to have a large >user base and/or be critical to global IT infrastructure. >Eligible projects will receive $1,000 for initial integration, >and up to $20,000 for ideal integration (the final amount is >at our discretion). You have the option of donating these >rewards to charity instead, and Google will double the amount." > > I'd like to think libvirt qualifies under "large user base" and > "critical to global IT" given prevelance of the cloud these days, > but no guarantees > > > https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html Right. I've read this on G+ during the weekend. And now that we have accepted a student for the fuzzing GSoC project, we can work towards that goal. > > Not that libvirt really has any current need for monetary funds. If it ever > came to pass, we could just have a poll amongst active contributors to > vote on suggestions of what todo with it (donate it, spend it, fund something, > etc). I don't know any details, but I know from the past that receiving money for orgs wasn't trivial (at least for GSoC). We had to have an law entity that covers the project. Since there was none, we donated our mentor money to Tor foundation. But it has changed a while ago (again, at least for GSoC), so maybe we are eligible to receive money after all. Michal -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] How about fuzz testing on oss-fuzz?
On Fri, Mar 31, 2017 at 10:23:33AM +0200, Peter Krempa wrote: > On Fri, Mar 31, 2017 at 03:57:41 -0400, Dan wrote: > > Hi all, > > > > I have seen libxml2 has already been added as a project in oss-fuzz [1]. > > Any idea about libvirt? While we could do our own fuzzing of some form, do > > we want to also try it out using google's free resource? > > The oss-fuzz project requires you to integrate the project with > the libfuzz fuzzer in the first place so you have to make it run locally > first anyways. > > Doing it on the oss-fuzz project is still the step after that. FYI, google is now offering rewards to projects that integrate with oss-fuzz "To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure. Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration (the final amount is at our discretion). You have the option of donating these rewards to charity instead, and Google will double the amount." I'd like to think libvirt qualifies under "large user base" and "critical to global IT" given prevelance of the cloud these days, but no guarantees https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html Not that libvirt really has any current need for monetary funds. If it ever came to pass, we could just have a poll amongst active contributors to vote on suggestions of what todo with it (donate it, spend it, fund something, etc). Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] How about fuzz testing on oss-fuzz?
On Fri, Mar 31, 2017 at 03:57:41 -0400, Dan wrote: > Hi all, > > I have seen libxml2 has already been added as a project in oss-fuzz [1]. > Any idea about libvirt? While we could do our own fuzzing of some form, do > we want to also try it out using google's free resource? The oss-fuzz project requires you to integrate the project with the libfuzz fuzzer in the first place so you have to make it run locally first anyways. Doing it on the oss-fuzz project is still the step after that. signature.asc Description: PGP signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] How about fuzz testing on oss-fuzz?
Hi all, I have seen libxml2 has already been added as a project in oss-fuzz [1]. Any idea about libvirt? While we could do our own fuzzing of some form, do we want to also try it out using google's free resource? Dan [1] https://github.com/google/oss-fuzz -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
