On Wed, Jul 2, 2014 at 10:42 PM, Salz, Rich <rs...@akamai.com> wrote: >> I write fixes for pieces of software that I depend on. Some time ago, I >> sent a >> diff for OpenSSL. > > Great, thanks. > >> If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity >> scans ? >> >> Other Open Source projects have provided me access to their coverity scans, >> despite the fact that I'm not a committer. > > There are security concerns. For example, the recent heartbleed vulnerability > exposed long-term private keys, and user password and all sorts of stuff. > This makes OpenSSL software different from something like a packet dump or > mail reader. I don't know what the scans say, and I understand your > disappointment, but we really need to be careful about making vulnerability > scans generally available. And then there is the question of where we draw > the line. I am all in favor of responsible disclosure, but unfortunately the > bad guys -- who, yes, may already have coverity or other scans -- are > interested as well.
I reported a vulnerability to FreeBSD (See: http://www.freebsd.org/security/advisories/FreeBSD-SA-13:12.ifioctl.asc) by going through responsible disclosure process. Are you implying that I'm part of the bad guys ? I'm not asking for the scan results to be made public, but simply asking for my request not to be left "pending" on my coverity dashboard, as a contributor. > > I wish I could give you a nice answer. > > /r$ > > -- > Principal Security Engineer > Akamai Technologies, Cambridge, MA > IM: rs...@jabber.me; Twitter: RichSalz > > >> -----Original Message----- >> From: owner-openssl-...@openssl.org [mailto:owner-openssl- >> d...@openssl.org] On Behalf Of Loganaden Velvindron >> Sent: Wednesday, July 02, 2014 2:24 PM >> To: openssl-dev@openssl.org >> Subject: Re: OpenSSL roadmap >> >> On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich <rs...@akamai.com> wrote: >> >> However, I feel that the developer group is a bit closed to outsiders. >> > >> > More communication and transparency is coming, as we have a bigger and >> more invigorated developer team. It will take time. But not everything will >> always be discussed in public mailing lists right away, parciularly around >> vulnerabilities. >> > >> >> I requested access to the OpenSSL scan results on coverity, and up to >> >> now, my request is still pending :-( >> > >> > This could be an example of that. (I don't know, I haven't looked through >> any reports.) But I hope that you understand why there might be concerns >> about doing this. >> >> >> >> >> > >> > Are there other issues or examples that come to mind? >> > >> > /r$ >> > >> > -- >> > Principal Security Engineer >> > Akamai Technologies, Cambridge, MA >> > IM: rs...@jabber.me; Twitter: RichSalz >> >> >> >> -- >> This message is strictly personal and the opinions expressed do not >> represent those of my employers, either past or present. >> __________________________________________________________ >> ____________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List openssl-dev@openssl.org >> Automated List Manager majord...@openssl.org -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
