> I write fixes for pieces of software that I depend on. Some time ago, I sent
> a
> diff for OpenSSL.
Great, thanks.
> If I'm interested in fixing OpenSSL, why shouldn't I have access to coverity
> scans ?
>
> Other Open Source projects have provided me access to their coverity scans,
> despite the fact that I'm not a committer.
There are security concerns. For example, the recent heartbleed vulnerability
exposed long-term private keys, and user password and all sorts of stuff. This
makes OpenSSL software different from something like a packet dump or mail
reader. I don't know what the scans say, and I understand your disappointment,
but we really need to be careful about making vulnerability scans generally
available. And then there is the question of where we draw the line. I am all
in favor of responsible disclosure, but unfortunately the bad guys -- who, yes,
may already have coverity or other scans -- are interested as well.
I wish I could give you a nice answer.
/r$
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: [email protected]; Twitter: RichSalz
> -----Original Message-----
> From: [email protected] [mailto:owner-openssl-
> [email protected]] On Behalf Of Loganaden Velvindron
> Sent: Wednesday, July 02, 2014 2:24 PM
> To: [email protected]
> Subject: Re: OpenSSL roadmap
>
> On Wed, Jul 2, 2014 at 9:48 PM, Salz, Rich <[email protected]> wrote:
> >> However, I feel that the developer group is a bit closed to outsiders.
> >
> > More communication and transparency is coming, as we have a bigger and
> more invigorated developer team. It will take time. But not everything will
> always be discussed in public mailing lists right away, parciularly around
> vulnerabilities.
> >
> >> I requested access to the OpenSSL scan results on coverity, and up to
> >> now, my request is still pending :-(
> >
> > This could be an example of that. (I don't know, I haven't looked through
> any reports.) But I hope that you understand why there might be concerns
> about doing this.
>
>
>
>
> >
> > Are there other issues or examples that come to mind?
> >
> > /r$
> >
> > --
> > Principal Security Engineer
> > Akamai Technologies, Cambridge, MA
> > IM: [email protected]; Twitter: RichSalz
>
>
>
> --
> This message is strictly personal and the opinions expressed do not
> represent those of my employers, either past or present.
> __________________________________________________________
> ____________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [email protected]
> Automated List Manager [email protected]
