The poppler developers have a private place where they keep a list of reported fuzzing issues so that the developers can let the issues sit around until someone has time without having them visible on a public list. Is it possible to make a private tiff area where bots can send reports?
________________________________ From: Tiff <[email protected]> on behalf of Bob Friesenhahn <[email protected]> Sent: Thursday, November 4, 2021 6:57 PM To: Even Rouault <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: [Tiff] About issues filed by Varangian bot On Thu, 4 Nov 2021, Even Rouault wrote: > > I'm not sure if we want to welcoime other batches of such reports (since > apparently they plan to submit others), as our funded or volunteer time is > limited. We were given fair warning that the fire-hose was going to be turned on but said nothing. Luckily it was just for a short burst of sample issues. Since static analysis (e.g. Coverity) and fuzz testing became effective and free, a very large portion of my "free" time not spent working on an unrelated paying day job has been spent fixing issues identified by others. In fact, even when valgrind was introduced many years ago, that resulted in quite a lot of unpaid "free" time being spent fixing the many issues found. It is a "thankless" task since users of free software can not fathom the work which is being performed for them. Libtiff is small, but it is complex. The software has a very long history so it was not developed in conjunction with automated testing and analysis tools. The analysis and fixes are quite valuable but it is too much to ask for volunteers (or somewhat paid developers) to dedicated every waking hour to a project in order to fix (possible) bugs found by automated anaysis. What is needed is a "closed loop" system where the producers of defect information also submit the recommended solutions. If a "closed loop" is not possible, then we need another well-funded organization to take up the task of checking that issues are real, and coming up with solutions. Bob -- Bob Friesenhahn [email protected], http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt _______________________________________________ Tiff mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/tiff
_______________________________________________ Tiff mailing list [email protected] https://lists.osgeo.org/mailman/listinfo/tiff
