El divendres, 31 d’agost de 2018, a les 10:27:08 CEST, Edward Welbourne va escriure: > Albert Astals Cid (30 August 2018 20:42) wrote: > > oss-fuzz is an online fuzzing service run by Google. > > Sounds useful. > > > They test daily the code base and run fuzzying over it, maintaining a > > list of open and closed bugs. > > > > Found bugs are sent to a list of trusted address and kept private for > > 90 days, then if not fixed then they become public. > > > > Fixed bugs become public 30 days after being fixed. > > By "fixed" do they mean "we have told them we've fixed it" or "we've > released all currently releasing branches of Qt with fixes" ?
Fixed means "the daily bot has run again and it has found that what was wrong before is now fine" > I'm > guessing it's closer to the former than the latter. So we have a month > from fixing it, or perhaps from releasing *one* branch with a fix, > within which to also release all our other live branches. That sounds > like it may stress our release processes. So we have a quarter year in > which to find a fix, then we need to orchestrate releases across all > branches within a month; and this happens for each and every issue > found. That schedule is fine for Chromium, which doesn't support old > versions or care about backwards-compatibility, but may be a poor fit > for our more conservative processes. > > So it would be better to run this *ourselves*, if we can, so that the Qt > community has more control over how and when the results get to be > published. This is scarily close to the security by obscurity argument ;) "what if we have an horrible bug, we fix it, it becomes public in 30 days and we've not been able yet to put out a release?" My answer to that is, you had an horrible bug, it's fixed, that is a great thing, so just put and advisory out with the patch if we can't get a release out. > > > If you want to test it locally you can do > > > > python infra/helper.py build_fuzzers --sanitizer undefined qt > > python infra/helper.py run_fuzzer qt qimage_fuzzer > > > > for the undefined sanitizer and > > > > python infra/helper.py build_fuzzers --sanitizer address qt > > python infra/helper.py run_fuzzer qt qimage_fuzzer > > So it *can* be used locally, without giving Google yet more power ... > Good to know. But you lose the daily bot runs and the free hardware. I am not sure, but i think the bot part is not actually free software, though i may be wrong. Also when i run it, it stops at the first found issue, i guess there may be a parameter to have it continue since the bot will find N issues in a given day. Cheers, Albert > > Eddy. -- Albert Astals Cid | [email protected] | Software Engineer Klarälvdalens Datakonsult AB, a KDAB Group company Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322) KDAB - The Qt, C++ and OpenGL Experts _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
