What basically do coverity scans?

[Mna.]

to vicmarcal:
Yes, you'd answered, but the technical details is what I hunting
Thanks anyways

[vicmarcal]

to vicmarcal:
Yes, you'd answered, but the technical details is what I hunting
Thanks anyways

Well, we dont have technical details, they just give us the Bugs found and we fix them.
We just see the results of the scanning.
Also, if we would know the technical details we can't reveal as part of our Coverity agreement.
Coverity earns money because their technical details, so we can not spread them. Sorry ^^

[Haos]

http://en.wikipedia.org/wiki/Static_code_analysis

[Z98]

The premise that ROS is unusable for daily usage as a reason we should release information about how to exploit bugs in our code comes off as bloody irresponsible. That attitude seems to suggest a rather lax approach to security matters in general. But that's my personal opinion. To those claiming that doing so will somehow bring in new contribution, my position remains that we would not get a significantly large enough increase in contributions to offset the fact that we're effectively providing people with information about how to compromise ROS. We already have the source code open, we have tons of bug reports, we have multiple vectors in which an interested person can find a starting point to work on something in ROS. Suggesting that coverity reports should be another entry point is not what I personally would consider appropriate. We're basically saying, oh, we aren't worried about security, because you can't use ROS. Well, when then are people supposed to be able to use ROS? Basing how we handle security issues around the presumption of people not using our stuff is just bad practice. We're the ones asking people to try out ROS. We have a responsibility to at least try and handle security issues in a way that will not compromise people who we ask to try out our code.

[hto]

That attitude seems to suggest a rather lax approach to security matters in general.

Not in general. Only at these early development stages, when there is no heavy burden of responsibility yet.

Hiding bugs will not help to fix them.

[…] we have multiple vectors in which an interested person can find a starting point to work on something in ROS.

The more starting points, the more chances to get someone to work on them. Some persons are interested in some particular kinds of problems (such as security;)

Well, when then are people supposed to be able to use ROS?

It seems some people deceive themselves thinking that "it won't take a long time" to have a usable OS. I'm sure it will take enough time…

We're the ones asking people to try out ROS. We have a responsibility to at least try and handle security issues in a way that will not compromise people who we ask to try out our code.

Yes, to try, not to use it regularly. Most people run it under emulators or on dedicated testing machines and frequently reinstall it, so if it will be compromised, the damage is limited.

If somebody will want to exploit security bugs in ReactOS, let better they will do it earlier, when it will not inflict much harm. Sooner or later, crackers will find many holes, with or without coverity help. Let it will be sooner then later.

[Z98]

I remain unconvinced there is any value in providing coverity reports as an 'entry point' and will leave this discussion with the position that if this is ever proposed to the devs, I'll be fighting any attempt to open the reports before the issues in the reports are fixed.

[greenie]

I think it would be nice if the information is available. As the idea of opensource is that you can fix the software you use even if someone else does not.

Plus I have seen security issues published about security flaws on other systems. I remember last year there was a publication of a glitch that allowed Private SSL/SSH Keys Guessable on debian servers(I don't know the details). As a server administrator wouldn't you want to know about the bug? especially when someone else could find these without the report. Even home users could be helped when they find out the custom cursors could execute code on your machine(a real bug that was in windows and would effect all browsers that allowed custom cursors). This way I could disable custom cursors in my browser. Despite windows being closed source people found this bug. Sure it may make it easier, though I don't think good security comes from mystery protocols, but from well implemented protocols. When companies use reactos they may have in house specialists who would definitely like to know about these issues. In fact in a way I suspect it will be more important in the future rather than now.

Though I still understand your point of view. I don't really mind though. As there are few developers participating anyway at the moment.

[Z98]

There's a distinction between hiding security issues and disclosing them responsibly. Please do not conflate the two, as that will just lead to misunderstanding the positions here.

[SuperDog]

Z98 are you the one that made Coverity scans possible in the first place? Or, were you at least involved in signing the agreement?

[zefklop]

SuperDog : I don't think you're able to speak to Z98 with this rudeness. If there were a hierarchy in ReactOS development, he would be far above you.

[SuperDog]

Honestly, I have no idea where did you get that from zefklop.

[Z98]

Umm, let's not let this degenerate into an argument here.

In answering, it was I believe Art Yerkes and a Haiku community member that set up the initial Coverity stuff, or at least the first run through Coverity's analysis tools. Or at least I believe it was arty, it might have been someone else that worked to get the build process working with their tools. It was our Haiku friends that helped us get in touch with Coverity in the first place. Right now Amine is the one that handles access to the reports, though Aleksey has the final say when there is any question of should someone be given access. He would also have the final say about opening up access if the matter was ever raised, though he would take input from the rest of the developers and support people like me. And I haven't exactly hidden what side of the argument I would be on if the issue was ever considered.

[vicmarcal]

As the title(and question) of the thread was:
"What basically do coverity scans?"
and it was answered i think we shoul stop now here
This thread is now talking about other total different thing.
And this new thing called "Discussion about Coverity and its results" belongs better to ros-priv or ros-dev mailing lists,as just our devs can take an internal decission.


Pd: Today my english sucks

[mrugiero]

Pd: Today my english sucks

Today, you are like me (?)
Hace uno o dos días te mandé un MP, sospecho que no llegó principalmente porque el aviso dirigido a vicmarcal llegó a mi mail XD
Si me confirmás que no llegó te lo reenvío que te quería preguntar algo.

[Haos]

Its still an english board, please adhere to the rules and keep spanish text in your national board.