Fixes for some issues found using Coverity

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fixes for some issues found using Coverity

Kittel, Martin
Hi,

we ship krb5 as part of some of our products and as part of our QA we run Coverity scans on all components, including krb5.
As part of these scans a number of issues were found that we think need or might need fixing. I am wondering now how to best feed back those fixes into the mainline
I have prepared a first bunch of git commits against the current HEAD from https://github.com/krb5/krb5 and tried to group them according to the Coverity findings. However I don't know whether I can feed these into krb5-bugs directly. What is the preferred way to post such patches?

Thanks and best wishes,

Martin.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fixes for some issues found using Coverity

Greg Hudson
On 03/20/2017 01:03 PM, Kittel, Martin wrote:
> we ship krb5 as part of some of our products and as part of our QA we run Coverity scans on all components, including krb5.
> As part of these scans a number of issues were found that we think need or might need fixing. I am wondering now how to best feed back those fixes into the mainline
> I have prepared a first bunch of git commits against the current HEAD from https://github.com/krb5/krb5 and tried to group them according to the Coverity findings. However I don't know whether I can feed these into krb5-bugs directly. What is the preferred way to post such patches?

For any issue which might have a realistic security impact, please send
mail to [hidden email].  (It's likely that most Coverity
defects with a security impact have been fixed already, but there's a
chance that not all have.)  You can PGP-encrypt mail to krbcore-security
using the key listed at https://web.mit.edu/kerberos/contact.html if
you're set up to do that.

For other changes, please create a github pull request.  See
https://k5wiki.kerberos.org/wiki/Contributing_code for more information.
 Don't get too bogged down in the details; we can always fix those up if
necessary.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Fixes for some issues found using Coverity

Kittel, Martin
Thanks for merging our patches.

We still have quite a number of Coverity messages to go through and I was wondering whether you are interested in more patches from our side. Chances are that most of them will be related to code hygiene rather than actual bugs just as it was the case with the current patch sets. For us as the non-experts it is challenging to tell the two apart.
In any case if we think Coverity found something critical or obvious bugs then we will get in touch with you again.

Best wishes,

Martin.


-----Original Message-----
From: Greg Hudson [mailto:[hidden email]]
Sent: Montag, 20. März 2017 18:13
To: Kittel, Martin <[hidden email]>; [hidden email]
Subject: Re: Fixes for some issues found using Coverity

On 03/20/2017 01:03 PM, Kittel, Martin wrote:
> we ship krb5 as part of some of our products and as part of our QA we run Coverity scans on all components, including krb5.
> As part of these scans a number of issues were found that we think need or might need fixing. I am wondering now how to best feed back those fixes into the mainline
> I have prepared a first bunch of git commits against the current HEAD from https://github.com/krb5/krb5 and tried to group them according to the Coverity findings. However I don't know whether I can feed these into krb5-bugs directly. What is the preferred way to post such patches?

For any issue which might have a realistic security impact, please send
mail to [hidden email].  (It's likely that most Coverity
defects with a security impact have been fixed already, but there's a
chance that not all have.)  You can PGP-encrypt mail to krbcore-security
using the key listed at https://web.mit.edu/kerberos/contact.html if
you're set up to do that.

For other changes, please create a github pull request.  See
https://k5wiki.kerberos.org/wiki/Contributing_code for more information.
 Don't get too bogged down in the details; we can always fix those up if
necessary.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Fixes for some issues found using Coverity

Greg Hudson
On 03/30/2017 04:17 AM, Kittel, Martin wrote:
> We still have quite a number of Coverity messages to go through and I was wondering whether you are interested in more patches from our side.

Sure, please go ahead and submit more changes.  There is sometimes a
tension between making static analysis tools happy and making the code
look natural to a human reader, but in most cases there is a good
compromise.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Fixes for some issues found using Coverity

Kittel, Martin
Hi Greg,

thanks again for merging our latest set of patches. We will let you know once we have more things ready that we think might be worthwhile patching.

Best wishes,

Martin.



_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Loading...