On 01/06/2012 07:25 PM, Chris Wright wrote:
* Corey Bryant (cor...@linux.vnet.ibm.com) wrote:
Count me in for step 2. A good approach may be to run a static
analysis tool against the code, followed by a manual scan of the
code for common vulnerabilities that static analysis can't find.
Good idea. Folks are already running things like Coverity. The false
positive rate is high enough that it's a lot to wade through at first
(so extra eyes could be quite helpful here). Perhaps the people who
are involved in this could share some of their findings.
Markus already done a pretty extensive review and cleanup using
Coverity. I'm not sure if he managed to cover all the real issues, have you?
btw: in case a real security flaw is detected, I like to ask the audit
volunteering folks to report a CVE [1] and not to disclose the info till
an embargo is raised.
I think that kvm and qemu need to have a security page like this:
http://www.webkit.org/security/
Cheers,
Dor
[1] http://oss-security.openwall.org/wiki/disclosure/cve
thanks,
-chris
