On Fri, Jun 5, 2026 at 12:58 PM Daniel P. Berrangé via OpenScanHub <[email protected]> wrote: > > On Fri, Jun 05, 2026 at 12:32:38PM +0200, Siteshwar Vashisht wrote: > > Hello, > > > > I am writing this message to get feedback from the community on new > > findings by static analyzers in Critical Path Packages that have > > changed in Fedora 45. > > > > TLDR: This report[1] contains a total of 53127 findings and 1242 new > > findings identified since Fedora 44. An AI analysis has identified 14 > > important and 12 moderate impact findings that may have a security > > impact. The reports containing these findings are highlighted in red. > > Please review the report and provide feedback. > > This makes me uncomfortable because another way of writing this is... > > "Here are 26 probable zero-day bugs we're publishing > analysis of with no notice" > > I know that it is generally considered acceptable to publish the raw > scan results from static analysis. Someone could trawl the haystack, > doing the triage needed to find the needles that turn into security > reports. > > There is also a growing acceptance that bugs identified with AI/LLM > tools should probably be considered as-good-as-public, since it is > common for anyone using the same tools to co-discover the the same > bugs if they look at the same codebase. > > None the less there is a difference between theoretical possibility > of being public, and proactively making everything public.
I tried reaching out to maintainers individually earlier regarding the AI analysis. While some maintainers reviewed and fixed bugs identified by AI analysis, others were unwilling to look into the reports due to AI slop. None of the findings identified in static analysis reports have a critical (RCE) impact. The findings with important and moderate impact are mostly missing NULL checks which may be hard to exploit in a real world scenario. Analyzing the reports using Claude helped us make the static analysis reports more actionable for the community. If I find any bug with a critical impact in the future, I will directly reach out to individual upstream or package maintainers. Thanks! > > Should we really be publishing detailed impact analysis of probable > security bugs in this way with no prior warning to maintainers ? > > I know many other groups / individuals doing AI/LLM driven analysis > of OSS projects I'm involved with and they all still report analysis > confidentially, allowing maintainers at least a short window to > determine a patch before things are unambiguously public. > > F45 may not be released yet, but the package versions analyzed in > F45 are usually upstream releases and may already be released in > other distros, as well as possibly already rebased into stable > Fedora release streams. > > With regards, > Daniel > -- > |: https://berrange.com ~~ https://hachyderm.io/@berrange :| > |: https://libvirt.org ~~ https://entangle-photo.org :| > |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| > > -- > _______________________________________________ > OpenScanHub mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://forge.fedoraproject.org/infra/tickets/issues/new -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
