From: Ales L. <ale...@re...> - 2013-01-07 11:25:09
|
----- Original Message ----- > From: "Zdenek Styblik" <zde...@gm...> > To: "Ales Ledvinka" <ale...@re...> > Cc: "ipmitool-devel" <ipm...@li...> > Sent: Saturday, January 5, 2013 1:23:03 PM > Subject: Re: [Ipmitool-devel] code analysis > > On Fri, Jan 4, 2013 at 8:10 PM, Ales Ledvinka <ale...@re...> > wrote: > [...] > > Per issue, file or defect type group? > > > > It's hard to say in a general way. Sometimes one is better than > another and sometimes it's better to edit hell out of .c file. > > [...] > >> > Reasonable minimal fix. If further question remain then add some > >> > XXX comment. > >> > > >> > >> Hmm. I feel like question was about apples and answer oranges. > >> Anyway, I wanted to say I've read: ``I'll hack in fixes'', but > >> that's > >> not the word I'm looking for. Sadly, I can't find English > >> equivalent > >> of word I'm looking for to ``reasonable minimal fix'', but let's > >> say > >> I'm looking forward for those code reviews. > > Just re-read the "reasonable". > > > > I've read it the first time. I've seen some "reasonable" things and I > choose to remain skeptic. > > >> > >> [...] > >> >> > >> >> What do you mean when you say you are going to release the > >> >> report > >> >> to > >> >> the "public" > >> >> with "the patch"? > >> > > >> > Once the changes are public it's like releasing the report so I > >> > was > >> > thinking of attaching it to tracker item with patch to aid > >> > review. > >> > > >> > >> Ales, can you please stop making secrets about something that's > >> not > >> secret? ipmitool is open-source. Static analysis, I presume that's > >> what you, or Fedora, have used, tools are available to pretty much > >> everyone. Also, there are other security issues like > >> over/underflow > >> via user input. So I doubt whatever "you" found is worse. > >> On the bright side, I'm glad somebody have found time and made an > >> effort to run ipmitool through analysis tool. > > > > Report quality may vary with analysis tool used. > > Yep, although I'm not sure what the point is. If we were talking > about > party with malicious intentions, I wouldn't underestimate it. > I'm glad to see you're aware of pros and cons of analysis tools > though. > > > Then it's about effort to generate the report, > > effort to check the reported item > > whether it's security issue or not and effort to fix it. These are > > not the same thing. > > Right. And if you want to do it all behind the closed, but unlocked, > doors, that's fine by me. However I'm not going to opt in, because > that's not how I do things. > Doors remain doors, arrangements change depending on situation. I am asking for sort of auditable handover, not door opening. > > Feel free to request the report. And then it's > > your decision whether you release it before anything else. > > > > Don't get me wrong. I'm looking forward to it; hell, you can say I'm > interested in; but I'm not desperate about it. > It sounds to me as either sort of oxymoron or just passing a > buck(which I, sort of, understand). > > Enough said, > Z. > |