current-users: Re: Issue 50 of the NetBSD CVS Digest is out.

Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: Rhialto <rhialto@falu.nl>
From: David Maxwell <david@crlf.net>
List: current-users
Date: 04/10/2006 17:32:26

On Mon, 10 Apr 2006, Rhialto wrote:
> On Mon 10 Apr 2006 at 16:34:32 -0400, David Maxwell wrote:
> > Are you suggesting that companies shouldn't contribute to open source
> > projects because they'll then come under fire for not "giving away"
> > the way they make their business work?
> 
> It makes it more difficult to verify what is going on. Many security
> analists argue that full disclosure of any security bugs in products is
> the best overall strategy. Do we know now if all problems that are found
> are being disclosed, or if perhaps some are witheld? I guess we can't
> check. (Yes, I tend to be paranoid)

It does not make it difficult to verify 'what's going on' in any way.

The NetBSD CVS is still public.

Commits to the tree are still made only by Members of The NetBSD Foundation.
(which doesn't include anyone from Coverity, or DoHS, AFAIK)

Commits are easily followed via the source-changes list, because they
should all reference the Coverity ID#. Other projects are following NetBSD
commits this way, and pulling in fixes to their codebases.

In short, the only thing that's not public is the list of 'found' problems
which Coverity's tools report. There's no particular need for it to be public,
it would instigate a lot of discussion over the false positives we haven't
commented on yet - and hopefully, it will continue to approach zero as
quickly as it has so far.

> > > Also, the apparent involvement of the
> > > department for so-called "homeland security" [1] brings a certain taint
> > > along.
> > 
> > While some people may dislike some of what that (US) Government
> > department does, would you claim that makes it impossible for them to
> > fund any thing which is worthwhile and beneficial?
> 
> They might fund such things, but these people might question the motives
> behind it. Again, I tend to be paranoid.

Since DoHS has no input to our tree, the only questionable motive I can
see would be for them to be aware of bugs in NetBSD before we fix them.
AND, if they wanted to do that, why not just pay Coverity to distribute
the results only to DoHS?

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic... 
					      - me