> I write fixes for pieces of software that I depend on. Some time ago, I sent > a > diff for OpenSSL.
Great, thanks. > If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity > scans ? > > Other Open Source projects have provided me access to their coverity scans, > despite the fact that I'm not a committer. There are security concerns. For example, the recent heartbleed vulnerability exposed long-term private keys, and user password and all sorts of stuff. This makes OpenSSL software different from something like a packet dump or mail reader. I don't know what the scans say, and I understand your disappointment, but we really need to be careful about making vulnerability scans generally available. And then there is the question of where we draw the line. I am all in favor of responsible disclosure, but unfortunately the bad guys -- who, yes, may already have coverity or other scans -- are interested as well. I wish I could give you a nice answer. /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz > -----Original Message----- > From: owner-openssl-...@openssl.org [mailto:owner-openssl- > d...@openssl.org] On Behalf Of Loganaden Velvindron > Sent: Wednesday, July 02, 2014 2:24 PM > To: openssl-dev@openssl.org > Subject: Re: OpenSSL roadmap > > On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich <rs...@akamai.com> wrote: > >> However, I feel that the developer group is a bit closed to outsiders. > > > > More communication and transparency is coming, as we have a bigger and > more invigorated developer team. It will take time. But not everything will > always be discussed in public mailing lists right away, parciularly around > vulnerabilities. > > > >> I requested access to the OpenSSL scan results on coverity, and up to > >> now, my request is still pending :-( > > > > This could be an example of that. (I don't know, I haven't looked through > any reports.) But I hope that you understand why there might be concerns > about doing this. > > > > > > > > Are there other issues or examples that come to mind? > > > > /r$ > > > > -- > > Principal Security Engineer > > Akamai Technologies, Cambridge, MA > > IM: rs...@jabber.me; Twitter: RichSalz > > > > -- > This message is strictly personal and the opinions expressed do not > represent those of my employers, either past or present. > __________________________________________________________ > ____________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org