[Python-Dev] Coverity scan
Christian Heimes
lists at cheimes.de
Fri Sep 7 12:23:45 CEST 2012
Am 06.09.2012 10:59, schrieb Stefan Krah:
> The mailing list would be nice especially if we could get the results in
> verbose text form, but I don't know if that's possible.
I've added my account to the notification list but I've not yet received
a mail as no new issue was introduced. Coverity also sends an email for
every successful or failed build. So far the mails end up in my inbox.
> BTW, do we keep all buffer overruns secret or can we post them on the tracker
> if it's an off-by-one and unlikely to be exploitable?
I'd say use your best discretion. In the unlikely case that Coverity
finds a buffer overflow that can be abused remotely we have to go
through PSRT and publish security fix releases. At a first glance no bug
looked that severe to me.
IMHO it makes sense to define a workflow how we are going to handle
Coverity issues. Each coverity issue has an identifier and can have
information like an external reference and an action. I've seen that you
have started to create bugs in our tracker. How about we mention the
Coverity # in the bug and add a link to the bug in the "Ext. Reference"
field of the Coverity issue and set the Action to "Claimed, being worked
on".
In case you got curious about Coverity I've created a screenshot for you
http://imm.io/Duel .
Christian
More information about the Python-Dev
mailing list