On Fri, Jun 5, 2026, at 06:57, Daniel P. Berrangé wrote: > On Fri, Jun 05, 2026 at 12:32:38PM +0200, Siteshwar Vashisht wrote: >> Hello, >> >> I am writing this message to get feedback from the community on new >> findings by static analyzers in Critical Path Packages that have >> changed in Fedora 45. >> >> TLDR: This report[1] contains a total of 53127 findings and 1242 new >> findings identified since Fedora 44. An AI analysis has identified 14 >> important and 12 moderate impact findings that may have a security >> impact. The reports containing these findings are highlighted in red. >> Please review the report and provide feedback. > > This makes me uncomfortable because another way of writing this is... > > "Here are 26 probable zero-day bugs we're publishing > analysis of with no notice" > > I know that it is generally considered acceptable to publish the raw > scan results from static analysis. Someone could trawl the haystack, > doing the triage needed to find the needles that turn into security > reports. >
My problem isn't the fact that this is sent to a public list but this is what I call filed 'publicly' in spirit. That is a HUGE number of problems to trawl through and determine if anything I maintain or comaintain or might have commit access is affected. And frankly in my current negative amounts of copious spare time, I feel more likely to just skip trying and put these in the trash. 1. If you have N major items, contact the maintainers and upstream directly or assume no one nice is looking at it ever. 2. If you have N medium items, contact the maintainers directly and assume no one has time to fix unless you have patches also. Assume that the AI trawlers looking for this will know about it way before the maintainers have time to do so. 3. If you have N low items, just post it to a web page and assume that the AI already knows and someone is trying to break it as a chain problem. -- Stephen J Smoogen. Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
