----- Original Message ----- > From: "Zdenek Styblik" <zdenek.styb...@gmail.com> > To: "Ales Ledvinka" <aledv...@redhat.com> > Cc: "ipmitool-devel" <ipmitool-devel@lists.sourceforge.net> > Sent: Saturday, January 5, 2013 1:23:03 PM > Subject: Re: [Ipmitool-devel] code analysis > > On Fri, Jan 4, 2013 at 8:10 PM, Ales Ledvinka <aledv...@redhat.com> > wrote: > [...] > > Per issue, file or defect type group? > > > > It's hard to say in a general way. Sometimes one is better than > another and sometimes it's better to edit hell out of .c file. > > [...] > >> > Reasonable minimal fix. If further question remain then add some > >> > XXX comment. > >> > > >> > >> Hmm. I feel like question was about apples and answer oranges. > >> Anyway, I wanted to say I've read: ``I'll hack in fixes'', but > >> that's > >> not the word I'm looking for. Sadly, I can't find English > >> equivalent > >> of word I'm looking for to ``reasonable minimal fix'', but let's > >> say > >> I'm looking forward for those code reviews. > > Just re-read the "reasonable". > > > > I've read it the first time. I've seen some "reasonable" things and I > choose to remain skeptic. > > >> > >> [...] > >> >> > >> >> What do you mean when you say you are going to release the > >> >> report > >> >> to > >> >> the "public" > >> >> with "the patch"? > >> > > >> > Once the changes are public it's like releasing the report so I > >> > was > >> > thinking of attaching it to tracker item with patch to aid > >> > review. > >> > > >> > >> Ales, can you please stop making secrets about something that's > >> not > >> secret? ipmitool is open-source. Static analysis, I presume that's > >> what you, or Fedora, have used, tools are available to pretty much > >> everyone. Also, there are other security issues like > >> over/underflow > >> via user input. So I doubt whatever "you" found is worse. > >> On the bright side, I'm glad somebody have found time and made an > >> effort to run ipmitool through analysis tool. > > > > Report quality may vary with analysis tool used. > > Yep, although I'm not sure what the point is. If we were talking > about > party with malicious intentions, I wouldn't underestimate it. > I'm glad to see you're aware of pros and cons of analysis tools > though. > > > Then it's about effort to generate the report, > > effort to check the reported item > > whether it's security issue or not and effort to fix it. These are > > not the same thing. > > Right. And if you want to do it all behind the closed, but unlocked, > doors, that's fine by me. However I'm not going to opt in, because > that's not how I do things. > Doors remain doors, arrangements change depending on situation. I am asking for sort of auditable handover, not door opening.
> > Feel free to request the report. And then it's > > your decision whether you release it before anything else. > > > > Don't get me wrong. I'm looking forward to it; hell, you can say I'm > interested in; but I'm not desperate about it. > It sounds to me as either sort of oxymoron or just passing a > buck(which I, sort of, understand). > > Enough said, > Z. > ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412 _______________________________________________ Ipmitool-devel mailing list Ipmitool-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ipmitool-devel
