PSA: If you are C/C++ developer, use cppcheck
Ondrej Vasik
ovasik at redhat.com
Wed Dec 18 17:54:05 UTC 2013
On Wed, 2013-12-18 at 16:47 +0100, Reindl Harald wrote:
> Am 18.12.2013 16:37, schrieb Dave Jones:
> > On Wed, Dec 18, 2013 at 09:12:06AM +0100, Ondrej Vasik wrote:
> >
> > > Publishing them is a bit tricky - I can of course publish them (we scan
> > > with cppcheck, enhanced gcc warnings, clang and coverity) - but the
> > > reports may contain some attack vectors - and for inactive packages, it
> > > would only show the doors to attackers.
> >
> > Then it's a good thing that attackers don't have any money and can't afford
> > to buy a checker license themselves.
> >
> > Hiding bugs doesn't make them go away, and pretending we have tools bad people
> > don't is a fallacy.
>
> +1
>
> and only if security problems are public makes enough pressure
> for too many developers to care about them - and before someone
> says "and they may still not care about them", well, than you
> know which piece of software should be replaced next instead
> other working pieces
>
> seucrity by obscurity is dumb, did never work and will never work
Btw. you can check how it worked for the project where both RH and
upstream were WILLING to work on the report and published it on wiki -
net-snmp example is at
http://www.net-snmp.org/wiki/index.php/5.7.1_Coverity_scan - even after
2 years, there are some groups unchecked (although the most critical
ones were analyzed and fixed/commented in ~1 year).
Greetings,
Ondrej
More information about the devel
mailing list