Discussion:
Fixes for some issues found using Coverity
Kittel, Martin
2017-03-20 17:03:42 UTC
Permalink
Hi,

we ship krb5 as part of some of our products and as part of our QA we run Coverity scans on all components, including krb5.
As part of these scans a number of issues were found that we think need or might need fixing. I am wondering now how to best feed back those fixes into the mainline
I have prepared a first bunch of git commits against the current HEAD from https://github.com/krb5/krb5 and tried to group them according to the Coverity findings. However I don't know whether I can feed these into krb5-bugs directly. What is the preferred way to post such patches?

Thanks and best wishes,

Martin.

_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Greg Hudson
2017-03-20 17:12:36 UTC
Permalink
Post by Kittel, Martin
we ship krb5 as part of some of our products and as part of our QA we run Coverity scans on all components, including krb5.
As part of these scans a number of issues were found that we think need or might need fixing. I am wondering now how to best feed back those fixes into the mainline
I have prepared a first bunch of git commits against the current HEAD from https://github.com/krb5/krb5 and tried to group them according to the Coverity findings. However I don't know whether I can feed these into krb5-bugs directly. What is the preferred way to post such patches?
For any issue which might have a realistic security impact, please send
mail to krbcore-***@mit.edu. (It's likely that most Coverity
defects with a security impact have been fixed already, but there's a
chance that not all have.) You can PGP-encrypt mail to krbcore-security
using the key listed at https://web.mit.edu/kerberos/contact.html if
you're set up to do that.

For other changes, please create a github pull request. See
https://k5wiki.kerberos.org/wiki/Contributing_code for more information.
Don't get too bogged down in the details; we can always fix those up if
necessary.
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Kittel, Martin
2017-03-30 08:17:36 UTC
Permalink
Thanks for merging our patches.

We still have quite a number of Coverity messages to go through and I was wondering whether you are interested in more patches from our side. Chances are that most of them will be related to code hygiene rather than actual bugs just as it was the case with the current patch sets. For us as the non-experts it is challenging to tell the two apart.
In any case if we think Coverity found something critical or obvious bugs then we will get in touch with you again.

Best wishes,

Martin.


-----Original Message-----
From: Greg Hudson [mailto:***@mit.edu]
Sent: Montag, 20. März 2017 18:13
To: Kittel, Martin <***@sap.com>; ***@mit.edu
Subject: Re: Fixes for some issues found using Coverity
Post by Kittel, Martin
we ship krb5 as part of some of our products and as part of our QA we run Coverity scans on all components, including krb5.
As part of these scans a number of issues were found that we think need or might need fixing. I am wondering now how to best feed back those fixes into the mainline
I have prepared a first bunch of git commits against the current HEAD from https://github.com/krb5/krb5 and tried to group them according to the Coverity findings. However I don't know whether I can feed these into krb5-bugs directly. What is the preferred way to post such patches?
For any issue which might have a realistic security impact, please send
mail to krbcore-***@mit.edu. (It's likely that most Coverity
defects with a security impact have been fixed already, but there's a
chance that not all have.) You can PGP-encrypt mail to krbcore-security
using the key listed at https://web.mit.edu/kerberos/contact.html if
you're set up to do that.

For other changes, please create a github pull request. See
https://k5wiki.kerberos.org/wiki/Contributing_code for more information.
Don't get too bogged down in the details; we can always fix those up if
necessary.

_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Greg Hudson
2017-03-30 14:53:24 UTC
Permalink
Post by Kittel, Martin
We still have quite a number of Coverity messages to go through and I was wondering whether you are interested in more patches from our side.
Sure, please go ahead and submit more changes. There is sometimes a
tension between making static analysis tools happy and making the code
look natural to a human reader, but in most cases there is a good
compromise.
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Kittel, Martin
2017-04-25 11:48:50 UTC
Permalink
Hi Greg,

thanks again for merging our latest set of patches. We will let you know once we have more things ready that we think might be worthwhile patching.

Best wishes,

Martin.



_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

Loading...