From owner-freebsd-security@FreeBSD.ORG Thu Apr 24 09:25:08 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C919F6E2 for ; Thu, 24 Apr 2014 09:25:08 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3ED211DBA for ; Thu, 24 Apr 2014 09:25:08 +0000 (UTC) Received: from kgw.obluda.cz ([194.108.204.138]) by smtp1.ms.mff.cuni.cz (8.14.5/8.14.5) with ESMTP id s3O9P2AG063613 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Thu, 24 Apr 2014 11:25:04 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <5358D86E.4060306@obluda.cz> Date: Thu, 24 Apr 2014 11:25:02 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? References: <10999.1398215531@server1.tristatelogic.com> <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk> <546CE3A8-FC87-472F-8A63-0497D0D28789@cederstrand.dk> <20140424000744.GE15884@in-addr.com> <9330A007-63D2-4930-AB33-4EEE64AEF670@cederstrand.dk> In-Reply-To: <9330A007-63D2-4930-AB33-4EEE64AEF670@cederstrand.dk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Apr 2014 09:25:08 -0000 On 04/24/14 08:33, Erik Cederstrand: > we need some way of marking them as false positive or wontfix, so the effort isn't duplicated. Out of the 10.000 reports, a conservative guess is that at least 100 of them are real security issues > A year ago, I did a raid on reports about not checking the return value of setuid() and friends, which did uncover real issues. Well, about nine years ago I spent some time to analysis of warnings raised by compiler during 'buildworld' (see bin/71632 for example). Most of them has been false positives of course, but it has been possible to modify the code to avoid them in the future. Just few true issues has been discovered, of course. I created PR and proposed patch for most of them - both bugs and warnings that can be avoided. So many of those PR has left untouched for years. I considered that proactive approach is not welcomed so much. I'm not complaining in any way, it's about my feeling that I wasted my time with activity not considered useful. I fully understand that reviewing of tenths of patches take time and no fun nor honor is related to such kind of work. That is it. Yes, we need "wontfix" mark, or so. But before it, the cleanup of code needs to be recognized as something valuable and important. Heartbleed raised the dust, so we are speaking those issues now. But dust will settle again within few weeks. Reviewing of "just code cleanup" reports will become "not fun/not honor/time costly" task again. A kind of task with no priority. Please note that my skills in English are very limited. I'm not trying to attack the comitters nor anyone else in any way. People tends to have human characteristics (I'm not exception) and not funny tasks that can be delayed will be delayed. I'm just trying to explain why I feel that "we have no code analysis done yet" or "we need wontfix flag" is not most important question. I'm not trying to push anyone. Just asking. If we (volunteers with no commit right) will spend time (and money, may be) to do the analysis, will someone with commit rights take the job, despite it will be time costly task with little of honor, despite the Heartbleed dust will become settled ? Dan