Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: None <tls@rek.tjls.com>
From: thilo <jeremias@optushome.com.au>
List: current-users
Date: 04/11/2006 19:21:03
Thor Lancelot Simon wrote:
>On Tue, Apr 11, 2006 at 03:28:34PM +1000, thilo wrote:
>
>
>>Till now I had the view that the core developer team would fit their
>>knwoledge back into the group.
>>I wonder if the NDA signed with coverity is preventing them from
>>producing a list of bugs, or is this something else.
>>
>>
>
>I'd appreciate it if you'd stop making up absurd rumors.
>
>
Apologize,
David Maxwell stated that you guys had to sign an NDA to "get access". I
did read that as to get access to the results,
not the tool...
- fair enough. No more rumor!
>necessary) hundreds or thousands of Coverity reports. A malicious
>individual scanning through the report (if he had it in detail) trying
>to find _one_ bug to exploit can do that a lot faster than even a few
>dozen developers methodically working through every issue one by one
>
>
As far as much as I know about hackers, they do have access to coverity
and some of their exploits
do results from static source code analysis (not necessarily coverity).
And I would like to quote:
http://www.crmbuyer.com/story/49224.html
"Ironically, Coverity's war on bugs may benefit hackers, Thornton added.
"A hacker that's going to use your program to launch another program on
a machine," Thornton often tells developers, "[doesn't] want your
program to crash while it's doing that.
"So, most bugs -- hackers don't like them either," he said. "
Which is a statement I agree...
>and fixing each in turn. Thus I do not believe the unrestricted
>public disclosure of the list to be in anyone's best interest.
>
>
-- My opinion is apparent...
>Of course, we in no way keep secret any details of the bugs we fix, and
>you can see (once again, by looking at readily accessible information
>instead of spending your time rumormongering) that we are, in fact,
>methodically working our way through _all_ of the Coverity issues and
>fixing them.
>
>
-- People passivly listening on this mailing list would probably happily
help walking throught those bugs,
they are no enemy to the project ( please don't view that as spam, I
think we all want to improve the system,
as it has some real advantages over lnx and others. "many eyes" is what
we (I) want to get a more stable os.
I don't need coverity to find serious bugs, but it helps so that I won't
waste a lot of time debugging them. And
only where work is being done bugs happen, and this list contains a
considerable amount of both.)
>In order to get direct access to the Coverity tool so that we can run
>it ourselves and adjust its parameters, an NDA is required; some aspects
>of *how the tool works* are considered proprietary by Coverity, and so
>you have your choice: either let them run it for you, and sign no NDA,
>or sign the NDA and run it yourself. The NDA in no way restricts our
>ability to fix bugs, as should be obvious because, for example, Coverity
>will happily provide access to the scan reports to any individual
>developer whether that person has signed an NDA or not.
>
>
-- Thanks this statement mad a lot sense to me. I did not find anything
about that on netbsd.org
>If you want lower quality results from Coverity's generous donation,
>by all means continue to spread rumor and innuendo. It is possible,
>
>
-- I guess that coverity uses the open-source for PR is a rumor.
Before I cause more flames on this subject, let me state that I really
do like NetBSD for a number of reasons,
one is that the sources are very consistent and easy to follow/understand.
I do not want to jepardize the relation-ship we got offered by coverity.
My main intention was to jump in and suggest fixes to aereas
that I understand. Not more.
One last word, this list should be a pleasant place for all to read --
keep it that way!
thilo