Re: [Ipmitool-devel] code analysis

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

----- Original Message -----
> From: "Zdenek Styblik" <zde...@gm...>
> To: "Ales Ledvinka" <ale...@re...>
> Cc: "ipmitool-devel" <ipm...@li...>
> Sent: Saturday, January 5, 2013 1:23:03 PM
> Subject: Re: [Ipmitool-devel] code analysis
> 
> On Fri, Jan 4, 2013 at 8:10 PM, Ales Ledvinka <ale...@re...>
> wrote:
> [...]
> > Per issue, file or defect type group?
> >
> 
> It's hard to say in a general way. Sometimes one is better than
> another and sometimes it's better to edit hell out of .c file.
> 
> [...]
> >> > Reasonable minimal fix. If further question remain then add some
> >> > XXX comment.
> >> >
> >>
> >> Hmm. I feel like question was about apples and answer oranges.
> >> Anyway, I wanted to say I've read: ``I'll hack in fixes'', but
> >> that's
> >> not the word I'm looking for. Sadly, I can't find English
> >> equivalent
> >> of word I'm looking for to ``reasonable minimal fix'', but let's
> >> say
> >> I'm looking forward for those code reviews.
> > Just re-read the "reasonable".
> >
> 
> I've read it the first time. I've seen some "reasonable" things and I
> choose to remain skeptic.
> 
> >>
> >> [...]
> >> >>
> >> >> What do you mean when you say you are going to release the
> >> >> report
> >> >> to
> >> >> the "public"
> >> >> with "the patch"?
> >> >
> >> > Once the changes are public it's like releasing the report so I
> >> > was
> >> > thinking of attaching it to tracker item with patch to aid
> >> > review.
> >> >
> >>
> >> Ales, can you please stop making secrets about something that's
> >> not
> >> secret? ipmitool is open-source. Static analysis, I presume that's
> >> what you, or Fedora, have used, tools are available to pretty much
> >> everyone. Also, there are other security issues like
> >> over/underflow
> >> via user input. So I doubt whatever "you" found is worse.
> >> On the bright side, I'm glad somebody have found time and made an
> >> effort to run ipmitool through analysis tool.
> >
> > Report quality may vary with analysis tool used.
> 
> Yep, although I'm not sure what the point is. If we were talking
> about
> party with malicious intentions, I wouldn't underestimate it.
> I'm glad to see you're aware of pros and cons of analysis tools
> though.
> 
> > Then it's about effort to generate the report,
> > effort to check the reported item
> > whether it's security issue or not and effort to fix it. These are
> > not the same thing.
> 
> Right. And if you want to do it all behind the closed, but unlocked,
> doors, that's fine by me. However I'm not going to opt in, because
> that's not how I do things.
> 
Doors remain doors, arrangements change depending on situation.
I am asking for sort of auditable handover, not door opening.

> > Feel free to request the report. And then it's
> > your decision whether you release it before anything else.
> >
> 
> Don't get me wrong. I'm looking forward to it; hell, you can say I'm
> interested in; but I'm not desperate about it.
> It sounds to me as either sort of oxymoron or just passing a
> buck(which I, sort of, understand).
> 
> Enough said,
> Z.
>