I strongly recommend that we take this conversation over to the (committers-only) secur...@hadoop.apache.org mailing list. In general we try to follow the Apache recommendations when it comes to addressing security issues, which involves not publicly disclosing the vulnerability until there are released version(s) with the issue(s) addressed.
Best, Aaron On Mon, Aug 26, 2013 at 8:24 PM, Jon Jarboe <jjar...@coverity.com> wrote: > Thanks for the interest. I'm in the process of building the 2.1.0 beta as > suggested by Roman. > > Jon > (214) 531-3496 > > > > -----Original Message----- > > From: Ottenheimer, Davi [mailto:davi.ottenhei...@emc.com] > > Sent: Monday, August 26, 2013 1:11 PM > > To: common-dev@hadoop.apache.org > > Subject: RE: Coverity Scan (MAPREDUCE-5032) > > > > Perhaps open the JIRA with only a reference/link to the Coverity report, > and > > limit access to only those working on the issues. > > > > Full disclosure, update the JIRA, after fix. > > > > -- > > Davi Ottenheimer > > Senior Director of Trust > > EMC Corporation > > davi.ottenhei...@emc.com | @daviottenheimer | +1-415-271-6259 > > blog: http://www.flyingpenguin.com/ > > > > > > > -----Original Message----- > > > From: shaposh...@gmail.com [mailto:shaposh...@gmail.com] On Behalf > > Of > > > Roman Shaposhnik > > > Sent: Monday, August 26, 2013 10:50 AM > > > To: common-dev@hadoop.apache.org > > > Subject: Re: Coverity Scan (MAPREDUCE-5032) > > > > > > On Mon, Aug 26, 2013 at 10:43 AM, Vinod Kumar Vavilapalli > > > <vino...@apache.org> wrote: > > > > > > > > Can you file a JIRA and attach the report there? That is the best > > > > way to > > > move this forward. > > > > > > Last time I was involved in a Coverity scan was when they scanned > > > another project I'm committer on (FFmpeg). The lesson there was that > > > the value you get out of browsing on their site > > > https://scan.coverity.com is immeasurably higher than from any static > > report that can be attached to a JIRA. > > > > > > Also, at least in FFmpeg's case, Coverity identified a few things that > > > could've been used as potential exploits so it made perfect sense to > > > have a white-list of project members who could get access to the > > > initial report instead of going all public with it to begin with > > > (which would happen if it just gets attached to a JIRA in its > entirety). > > > > > > Just my 2c worth of working with them in the past. > > > > > > Thanks, > > > Roman. > > > > >
