On Fri, Jun 05, 2026 at 12:32:38PM +0200, Siteshwar Vashisht wrote: > Hello, > > I am writing this message to get feedback from the community on new > findings by static analyzers in Critical Path Packages that have > changed in Fedora 45. > > TLDR: This report[1] contains a total of 53127 findings and 1242 new > findings identified since Fedora 44. An AI analysis has identified 14 > important and 12 moderate impact findings that may have a security > impact. The reports containing these findings are highlighted in red. > Please review the report and provide feedback.
This makes me uncomfortable because another way of writing this is... "Here are 26 probable zero-day bugs we're publishing analysis of with no notice" I know that it is generally considered acceptable to publish the raw scan results from static analysis. Someone could trawl the haystack, doing the triage needed to find the needles that turn into security reports. There is also a growing acceptance that bugs identified with AI/LLM tools should probably be considered as-good-as-public, since it is common for anyone using the same tools to co-discover the the same bugs if they look at the same codebase. None the less there is a difference between theoretical possibility of being public, and proactively making everything public. Should we really be publishing detailed impact analysis of probable security bugs in this way with no prior warning to maintainers ? I know many other groups / individuals doing AI/LLM driven analysis of OSS projects I'm involved with and they all still report analysis confidentially, allowing maintainers at least a short window to determine a patch before things are unambiguously public. F45 may not be released yet, but the package versions analyzed in F45 are usually upstream releases and may already be released in other distros, as well as possibly already rebased into stable Fedora release streams. With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
