From: Ales L. <ale...@re...> - 2013-01-04 15:06:54
|
Hello, I just joined the team. I have here the ipmitool Fedora 19 rawhide code analysis report. The report is for 1.8.12 with two picked cvs patches so it's not cvs but close to fix there. I did not review the report for security issues, false positives or severity. If you are a sf ipmitool developer and willing to help me fix some of the issues then let me know and I send the report to your sf address. There are 257 reported items in 18 sets spanning 37 files. I am going to release the report to public with the patch. |
From: Jim M. <jm...@hp...> - 2013-01-04 15:54:56
|
Ales, I am interested in understanding what kind of issues show up in the report, so please send it my way. I'm not familiar with "rawhide code analysis", so will I be able to understand the report? I don't know how much I can help with the fixing, but if I have time I'll do what I can. I'm curious as to how will you determine which issues to fix? What are the two "picked cvs patches" that you felt you needed to include into 1.8.12? If you are trying to clean up ipmitool for release, could we do the cleanup on TOB CVS and then release 1.8.13? What do you mean when you say you are going to release the report to the "public" with "the patch"? -- Jim Mankovich | jm...@hp... (MST) -- On 1/4/2013 8:06 AM, Ales Ledvinka wrote: > Hello, > > I just joined the team. I have here the ipmitool Fedora 19 rawhide code analysis report. > The report is for 1.8.12 with two picked cvs patches so it's not cvs but close to fix there. > I did not review the report for security issues, false positives or severity. > If you are a sf ipmitool developer and willing to help me fix some of the issues > then let me know and I send the report to your sf address. > There are 257 reported items in 18 sets spanning 37 files. > I am going to release the report to public with the patch. > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > Ipmitool-devel mailing list > Ipm...@li... > https://lists.sourceforge.net/lists/listinfo/ipmitool-devel > |
From: Ales L. <ale...@re...> - 2013-01-04 16:48:51
|
> I don't know how much I can help with the > fixing, but if I have > time I'll do what I can. You are welcome. Send me mail with the list of files you are going to touch. > I'm curious as to how will you determine which issues to fix? Reasonable minimal fix. If further question remain then add some XXX comment. > What are the two "picked cvs patches" that you felt you needed to > include into 1.8.12? OEM only code with Fedora OEM partner bugzilla. > If you are trying to clean up ipmitool for release, could we do the > cleanup on TOB CVS TOB? Do you mean branch tag? > and then release 1.8.13? That is what I was thinking. > > What do you mean when you say you are going to release the report to > the "public" > with "the patch"? Once the changes are public it's like releasing the report so I was thinking of attaching it to tracker item with patch to aid review. |
From: Zdenek S. <zde...@gm...> - 2013-01-04 17:17:57
|
On Fri, Jan 4, 2013 at 5:48 PM, Ales Ledvinka <ale...@re...> wrote: > >> I don't know how much I can help with the >> fixing, but if I have >> time I'll do what I can. > > You are welcome. Send me mail with the list of files you are going to touch. I hope you two will find a better way than this. Like creating tickets for these issues at SF.net and use ``Assigned'' attribute. > >> I'm curious as to how will you determine which issues to fix? > > Reasonable minimal fix. If further question remain then add some XXX comment. > Hmm. I feel like question was about apples and answer oranges. Anyway, I wanted to say I've read: ``I'll hack in fixes'', but that's not the word I'm looking for. Sadly, I can't find English equivalent of word I'm looking for to ``reasonable minimal fix'', but let's say I'm looking forward for those code reviews. [...] >> >> What do you mean when you say you are going to release the report to >> the "public" >> with "the patch"? > > Once the changes are public it's like releasing the report so I was > thinking of attaching it to tracker item with patch to aid review. > Ales, can you please stop making secrets about something that's not secret? ipmitool is open-source. Static analysis, I presume that's what you, or Fedora, have used, tools are available to pretty much everyone. Also, there are other security issues like over/underflow via user input. So I doubt whatever "you" found is worse. On the bright side, I'm glad somebody have found time and made an effort to run ipmitool through analysis tool. Z. > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > Ipmitool-devel mailing list > Ipm...@li... > https://lists.sourceforge.net/lists/listinfo/ipmitool-devel |
From: Jim M. <jm...@hp...> - 2013-01-04 19:01:46
|
Z & Ales, I would agree that there should be tickets for the issues. In fact, there may already be tickets for some of the issues found by the analysis. Not having any info yet on what the code analysis shows, its pretty hard to have any feeling for what, if anything, might really need to be fixed. -- Jim Mankovich | jm...@hp... (MST) -- On 1/4/2013 10:17 AM, Zdenek Styblik wrote: > On Fri, Jan 4, 2013 at 5:48 PM, Ales Ledvinka <ale...@re...> wrote: >>> I don't know how much I can help with the >>> fixing, but if I have >>> time I'll do what I can. >> You are welcome. Send me mail with the list of files you are going to touch. > I hope you two will find a better way than this. Like creating tickets > for these issues at SF.net and use ``Assigned'' attribute. > >>> I'm curious as to how will you determine which issues to fix? >> Reasonable minimal fix. If further question remain then add some XXX comment. >> > Hmm. I feel like question was about apples and answer oranges. > Anyway, I wanted to say I've read: ``I'll hack in fixes'', but that's > not the word I'm looking for. Sadly, I can't find English equivalent > of word I'm looking for to ``reasonable minimal fix'', but let's say > I'm looking forward for those code reviews. > > [...] >>> What do you mean when you say you are going to release the report to >>> the "public" >>> with "the patch"? >> Once the changes are public it's like releasing the report so I was >> thinking of attaching it to tracker item with patch to aid review. >> > Ales, can you please stop making secrets about something that's not > secret? ipmitool is open-source. Static analysis, I presume that's > what you, or Fedora, have used, tools are available to pretty much > everyone. Also, there are other security issues like over/underflow > via user input. So I doubt whatever "you" found is worse. > On the bright side, I'm glad somebody have found time and made an > effort to run ipmitool through analysis tool. > > Z. > >> ------------------------------------------------------------------------------ >> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >> much more. Get web development skills now with LearnDevNow - >> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. >> SALE $99.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122812 >> _______________________________________________ >> Ipmitool-devel mailing list >> Ipm...@li... >> https://lists.sourceforge.net/lists/listinfo/ipmitool-devel |
From: Ales L. <ale...@re...> - 2013-01-04 19:10:30
|
----- Original Message ----- > From: "Zdenek Styblik" <zde...@gm...> > To: "Ales Ledvinka" <ale...@re...> > Cc: "Jim Mank" <jm...@hp...>, "ipmitool-devel" <ipm...@li...> > Sent: Friday, January 4, 2013 6:17:49 PM > Subject: Re: [Ipmitool-devel] code analysis > > On Fri, Jan 4, 2013 at 5:48 PM, Ales Ledvinka <ale...@re...> > wrote: > > > >> I don't know how much I can help with the > >> fixing, but if I have > >> time I'll do what I can. > > > > You are welcome. Send me mail with the list of files you are going > > to touch. > > I hope you two will find a better way than this. Like creating > tickets > for these issues at SF.net and use ``Assigned'' attribute. Per issue, file or defect type group? > > > > >> I'm curious as to how will you determine which issues to fix? > > > > Reasonable minimal fix. If further question remain then add some > > XXX comment. > > > > Hmm. I feel like question was about apples and answer oranges. > Anyway, I wanted to say I've read: ``I'll hack in fixes'', but that's > not the word I'm looking for. Sadly, I can't find English equivalent > of word I'm looking for to ``reasonable minimal fix'', but let's say > I'm looking forward for those code reviews. Just re-read the "reasonable". > > [...] > >> > >> What do you mean when you say you are going to release the report > >> to > >> the "public" > >> with "the patch"? > > > > Once the changes are public it's like releasing the report so I was > > thinking of attaching it to tracker item with patch to aid review. > > > > Ales, can you please stop making secrets about something that's not > secret? ipmitool is open-source. Static analysis, I presume that's > what you, or Fedora, have used, tools are available to pretty much > everyone. Also, there are other security issues like over/underflow > via user input. So I doubt whatever "you" found is worse. > On the bright side, I'm glad somebody have found time and made an > effort to run ipmitool through analysis tool. Report quality may vary with analysis tool used. Then it's about effort to generate the report, effort to check the reported item whether it's security issue or not and effort to fix it. These are not the same thing. Feel free to request the report. And then it's your decision whether you release it before anything else. > > Z. > > > ------------------------------------------------------------------------------ > > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > > much more. Get web development skills now with LearnDevNow - > > 350+ hours of step-by-step video tutorials by Microsoft MVPs and > > experts. > > SALE $99.99 this month only -- learn more at: > > http://p.sf.net/sfu/learnmore_122812 > > _______________________________________________ > > Ipmitool-devel mailing list > > Ipm...@li... > > https://lists.sourceforge.net/lists/listinfo/ipmitool-devel > |
From: Zdenek S. <zde...@gm...> - 2013-01-05 12:23:11
|
On Fri, Jan 4, 2013 at 8:10 PM, Ales Ledvinka <ale...@re...> wrote: [...] > Per issue, file or defect type group? > It's hard to say in a general way. Sometimes one is better than another and sometimes it's better to edit hell out of .c file. [...] >> > Reasonable minimal fix. If further question remain then add some >> > XXX comment. >> > >> >> Hmm. I feel like question was about apples and answer oranges. >> Anyway, I wanted to say I've read: ``I'll hack in fixes'', but that's >> not the word I'm looking for. Sadly, I can't find English equivalent >> of word I'm looking for to ``reasonable minimal fix'', but let's say >> I'm looking forward for those code reviews. > Just re-read the "reasonable". > I've read it the first time. I've seen some "reasonable" things and I choose to remain skeptic. >> >> [...] >> >> >> >> What do you mean when you say you are going to release the report >> >> to >> >> the "public" >> >> with "the patch"? >> > >> > Once the changes are public it's like releasing the report so I was >> > thinking of attaching it to tracker item with patch to aid review. >> > >> >> Ales, can you please stop making secrets about something that's not >> secret? ipmitool is open-source. Static analysis, I presume that's >> what you, or Fedora, have used, tools are available to pretty much >> everyone. Also, there are other security issues like over/underflow >> via user input. So I doubt whatever "you" found is worse. >> On the bright side, I'm glad somebody have found time and made an >> effort to run ipmitool through analysis tool. > > Report quality may vary with analysis tool used. Yep, although I'm not sure what the point is. If we were talking about party with malicious intentions, I wouldn't underestimate it. I'm glad to see you're aware of pros and cons of analysis tools though. > Then it's about effort to generate the report, > effort to check the reported item > whether it's security issue or not and effort to fix it. These are > not the same thing. Right. And if you want to do it all behind the closed, but unlocked, doors, that's fine by me. However I'm not going to opt in, because that's not how I do things. > Feel free to request the report. And then it's > your decision whether you release it before anything else. > Don't get me wrong. I'm looking forward to it; hell, you can say I'm interested in; but I'm not desperate about it. It sounds to me as either sort of oxymoron or just passing a buck(which I, sort of, understand). Enough said, Z. |
From: Ales L. <ale...@re...> - 2013-01-07 11:25:09
|
----- Original Message ----- > From: "Zdenek Styblik" <zde...@gm...> > To: "Ales Ledvinka" <ale...@re...> > Cc: "ipmitool-devel" <ipm...@li...> > Sent: Saturday, January 5, 2013 1:23:03 PM > Subject: Re: [Ipmitool-devel] code analysis > > On Fri, Jan 4, 2013 at 8:10 PM, Ales Ledvinka <ale...@re...> > wrote: > [...] > > Per issue, file or defect type group? > > > > It's hard to say in a general way. Sometimes one is better than > another and sometimes it's better to edit hell out of .c file. > > [...] > >> > Reasonable minimal fix. If further question remain then add some > >> > XXX comment. > >> > > >> > >> Hmm. I feel like question was about apples and answer oranges. > >> Anyway, I wanted to say I've read: ``I'll hack in fixes'', but > >> that's > >> not the word I'm looking for. Sadly, I can't find English > >> equivalent > >> of word I'm looking for to ``reasonable minimal fix'', but let's > >> say > >> I'm looking forward for those code reviews. > > Just re-read the "reasonable". > > > > I've read it the first time. I've seen some "reasonable" things and I > choose to remain skeptic. > > >> > >> [...] > >> >> > >> >> What do you mean when you say you are going to release the > >> >> report > >> >> to > >> >> the "public" > >> >> with "the patch"? > >> > > >> > Once the changes are public it's like releasing the report so I > >> > was > >> > thinking of attaching it to tracker item with patch to aid > >> > review. > >> > > >> > >> Ales, can you please stop making secrets about something that's > >> not > >> secret? ipmitool is open-source. Static analysis, I presume that's > >> what you, or Fedora, have used, tools are available to pretty much > >> everyone. Also, there are other security issues like > >> over/underflow > >> via user input. So I doubt whatever "you" found is worse. > >> On the bright side, I'm glad somebody have found time and made an > >> effort to run ipmitool through analysis tool. > > > > Report quality may vary with analysis tool used. > > Yep, although I'm not sure what the point is. If we were talking > about > party with malicious intentions, I wouldn't underestimate it. > I'm glad to see you're aware of pros and cons of analysis tools > though. > > > Then it's about effort to generate the report, > > effort to check the reported item > > whether it's security issue or not and effort to fix it. These are > > not the same thing. > > Right. And if you want to do it all behind the closed, but unlocked, > doors, that's fine by me. However I'm not going to opt in, because > that's not how I do things. > Doors remain doors, arrangements change depending on situation. I am asking for sort of auditable handover, not door opening. > > Feel free to request the report. And then it's > > your decision whether you release it before anything else. > > > > Don't get me wrong. I'm looking forward to it; hell, you can say I'm > interested in; but I'm not desperate about it. > It sounds to me as either sort of oxymoron or just passing a > buck(which I, sort of, understand). > > Enough said, > Z. > |
From: Zdenek S. <zde...@gm...> - 2013-01-07 11:31:26
|
On Mon, Jan 7, 2013 at 12:25 PM, Ales Ledvinka <ale...@re...> wrote: [...] >> > Then it's about effort to generate the report, >> > effort to check the reported item >> > whether it's security issue or not and effort to fix it. These are >> > not the same thing. >> >> Right. And if you want to do it all behind the closed, but unlocked, >> doors, that's fine by me. However I'm not going to opt in, because >> that's not how I do things. >> > Doors remain doors, arrangements change depending on situation. > I am asking for sort of auditable handover, not door opening. > *shrug* It's my personal preference and choice and I stand firmly behind it. No worries though. Z. |
From: Ales L. <ale...@re...> - 2013-01-07 15:59:15
|
I am not sure where is the misinterpretation on this thread. Could it be the one incorrect word translation when asking for the membership combined with the first post on this thread? The sf hides emails. So sending to the sf mail unless I can see the non-sf email as recognized by active developer or in the log or sources. Btw. Just realized the report usage is probably limited by license. So the plan to attach that to review is over unless I have some clarification. ----- Original Message ----- From: "Zdenek Styblik" <zde...@gm...> To: "Ales Ledvinka" <ale...@re...> Cc: "ipmitool-devel" <ipm...@li...> Sent: Monday, January 7, 2013 12:31:19 PM Subject: Re: [Ipmitool-devel] code analysis On Mon, Jan 7, 2013 at 12:25 PM, Ales Ledvinka <ale...@re...> wrote: [...] >> > Then it's about effort to generate the report, >> > effort to check the reported item >> > whether it's security issue or not and effort to fix it. These are >> > not the same thing. >> >> Right. And if you want to do it all behind the closed, but unlocked, >> doors, that's fine by me. However I'm not going to opt in, because >> that's not how I do things. >> > Doors remain doors, arrangements change depending on situation. > I am asking for sort of auditable handover, not door opening. > *shrug* It's my personal preference and choice and I stand firmly behind it. No worries though. Z. |