For the record: there is now a private mailing list fuzz-testing@commons
On Fri, 12 Mar 2021 at 14:00, sebb wrote:
>
> It might be possible to set up a dedicated mailing list just for these
> reports, privately archived.
> RMs could then be encouraged to check the list in the run-up to a
> releas
It might be possible to set up a dedicated mailing list just for these
reports, privately archived.
RMs could then be encouraged to check the list in the run-up to a
release (or they could subscribe).
If it turns out that the mail traffic is not too onerous, the mails
could be redirected to securi
If you don't want reports to get lost, but there is no suitable
mailing list, there is also the option to add multiple email addresses
(possibly private ones of individual contributors).
See https://google.github.io/oss-fuzz/getting-started/new-project-guide/#primary
for the details.
Changing the l
> > On Tue, Mar 9, 2021 at 11:16 PM sebb wrote:
> > >
> > > How often will the tool be run?
> > > How often does it need to be run?
> >
> > OSS-Fuzz runs its fuzzers continuously and will automatically pick up
> > new project commits. I don't know its precise schedule, but I expect
> > every proje
On Wed, 10 Mar 2021 at 07:13, Fabian Meumertzheim
wrote:
>
> On Tue, Mar 9, 2021 at 11:16 PM sebb wrote:
> >
> > How often will the tool be run?
> > How often does it need to be run?
>
> OSS-Fuzz runs its fuzzers continuously and will automatically pick up
> new project commits. I don't know its
On Tue, Mar 9, 2021 at 11:16 PM sebb wrote:
>
> How often will the tool be run?
> How often does it need to be run?
OSS-Fuzz runs its fuzzers continuously and will automatically pick up
new project commits. I don't know its precise schedule, but I expect
every project to be fuzzed at least a coup
How often will the tool be run?
How often does it need to be run?
On Tue, 9 Mar 2021 at 22:01, Matt Sicker wrote:
>
> Perhaps the output of this tool won't have nearly as much spam as
> Dependabot et al? If so, we could just use the security list.
>
> On Tue, 9 Mar 2021 at 15:48, sebb wrote:
> >
Perhaps the output of this tool won't have nearly as much spam as
Dependabot et al? If so, we could just use the security list.
On Tue, 9 Mar 2021 at 15:48, sebb wrote:
>
> On Tue, 9 Mar 2021 at 21:38, Gary Gregory wrote:
> >
> > What if we make the existing notification list private? Who uses t
On Tue, 9 Mar 2021 at 21:38, Gary Gregory wrote:
>
> What if we make the existing notification list private? Who uses that
> one and for what?
Not a good idea, as the contents are appropriate to developers not on the PMC.
> G
>
> On Tue, Mar 9, 2021 at 3:41 PM Torsten Curdt wrote:
> >
> > > At
What if we make the existing notification list private? Who uses that
one and for what?
G
On Tue, Mar 9, 2021 at 3:41 PM Torsten Curdt wrote:
>
> > At least for Compress I see value in Fuzz testing.
> > Any other opniions?
> >
>
> I totally see the value and it should go to a private list.
> At least for Compress I see value in Fuzz testing.
> Any other opniions?
>
I totally see the value and it should go to a private list.
On 2021-03-09, Gary Gregory wrote:
> A reminder that we can break our own builds by configuring maven plugins
> like spotbugs, pmd, and so on. If we need to configure another plugin to
> run in our builds to check for different errors, then let's consider that.
Fuzz testing need compute power bey
A reminder that we can break our own builds by configuring maven plugins
like spotbugs, pmd, and so on. If we need to configure another plugin to
run in our builds to check for different errors, then let's consider that.
Or any dev is free to do whatever outside of builds, but, that only leaves
ro
On Tue, Mar 9, 2021, 13:10 Stefan Bodewig wrote:
> On 2021-03-08, Gary Gregory wrote:
>
> > Note that we already have FIVE mailing lists:
>
> > commits
> > dev
> > issues
> > notifications
> > user
>
> which are all public
>
> > PLUS, private and security.
>
> subscribers of which will probably n
On 2021-03-08, Gary Gregory wrote:
> Note that we already have FIVE mailing lists:
> commits
> dev
> issues
> notifications
> user
which are all public
> PLUS, private and security.
subscribers of which will probably not like to receive automated emails.
> Do we really want a SIXTH? Can't thi
Note that we already have FIVE mailing lists:
commits
dev
issues
notifications
user
PLUS, private and security.
Do we really want a SIXTH? Can't this fit in one of the above?
Gary
On Mon, Mar 8, 2021 at 12:43 PM Stefan Bodewig wrote:
>
> On 2021-03-08, Gary Gregory wrote:
>
> > Are we talking
On 2021-03-08, Gary Gregory wrote:
> Are we talking about a human sending emails to the security list or letting
> the actual tool loose on the list to possibly spam it with false positives?
We are talking about a tool sending mails that (currently) is unable to
identify whether an issue it detec
Are we talking about a human sending emails to the security list or letting
the actual tool loose on the list to possibly spam it with false positives?
Gary
On Mon, Mar 8, 2021, 02:56 Peter Lee wrote:
> I think the security list is a good choice.
>
> Lee
> On 3 8 2021, at 2:55, Stefan Bodewig
I think the security list is a good choice.
Lee
On 3 8 2021, at 2:55, Stefan Bodewig wrote:
> On 2021-03-07, Gary Gregory wrote:
>
> > This issue has popped as well WRT GitHub emails from Dependabot.
> I don't think this is comparable.
> The fuzzer may find issues that can be exploited as DoS att
On 2021-03-07, Gary Gregory wrote:
> This issue has popped as well WRT GitHub emails from Dependabot.
I don't think this is comparable.
The fuzzer may find issues that can be exploited as DoS attacks, so the
results probably should go to a subscription-moderated list IMHO.
Stefan
> Gary
> On
This issue has popped as well WRT GitHub emails from Dependabot.
Gary
On Sun, Mar 7, 2021, 12:45 Matt Sicker wrote:
> We could create another private list for static analysis alerts perhaps?
>
> On Sun, 7 Mar 2021 at 03:51, Stefan Bodewig wrote:
> >
> > On 2021-03-07, Fabian Meumertzheim wrote
We could create another private list for static analysis alerts perhaps?
On Sun, 7 Mar 2021 at 03:51, Stefan Bodewig wrote:
>
> On 2021-03-07, Fabian Meumertzheim wrote:
>
> > On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig wrote:
>
> >> OTOH I'm not sure I understand the requirements of OSS-Fuzz
On 2021-03-07, Fabian Meumertzheim wrote:
> On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig wrote:
>> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I haven't
>> read the docs only looked at the image of the process. Seeing a
>> Sheriffbot tracking deadlines makes the me very uncomf
On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig wrote:
> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I haven't
> read the docs only looked at the image of the process. Seeing a
> Sheriffbot tracking deadlines makes the me very uncomfortable. I'm a
> volunteer and so are most other
On 2021-03-05, Fabian Meumertzheim wrote:
> I am one of the maintainers of Jazzer
> (https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
> fuzzer for JVM projects based on libFuzzer.
> I have set up a few Commons projects for local fuzzing with Jazzer,
> which lead to quite a fe
I am one of the maintainers of Jazzer
(https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
fuzzer for JVM projects based on libFuzzer.
I have set up a few Commons projects for local fuzzing with Jazzer,
which lead to quite a few bug reports in Compress and other projects
(https:/
26 matches
Mail list logo
