On Tue, Sep 16, 2014 at 6:06 PM, Pedro Lino <[email protected]> wrote: > Hi Andrea > > > Thank you for the quick answer. > > I'm wondering if I'm missing something or development really stopped/slowed >>> down since the 4.1.1 release? >>> >> >> I can't speak for the others. But since the latest visible commit is mine, >> I've been working more on the website in recent days. >> > > Actually my question was more in the sense "Am I looking at the right > statistics?" because I find it hard to believe that with so much to be done > and so many people participating, there hasn't been a code change in 7 > days... > > >> >> On a separate note, from a Quality perspective it would probably would be >>> a >>> good idea if Apache OpenOffice code was scanned by one of these Coverity >>> analysis >>> >> >> The Apache OpenOffice code is scanned by Coverity, and (since this is >> considered security-relevant) data are privately accessible to some >> developers. > > > Is it possible to make public the "project's defect density" for Apache > OpenOffice? I'm quite curious since I find AOO more stable than LO. > > > >> If I recall correctly (I've never seen them), most of the reports and >> metrics did not seem very useful, since they included a lot of false >> positives; one could silence those warnings by writing extra code or extra >> assertions just to help the analyzer understand that nothing was wrong, but >> this would be merely to please the analyzer and not to enhance the real >> quality. > > > That makes sense. But there are possibly some real leaks and bugs that > could be attended... >
Our main focus for finding latent security flaws has been via "document fuzzing." It is more complicated to set up than just running a static analysis tool but since it involves probing the actual running code it is more effective in many ways. Historically this is one of the primary ways that editors like OpenOffice are exploited. Also, when security researches report security flaws to us, they are often flaws found from fuzzing. I don't recall ever seeing a report that was derived from static analysis. If you want to read more about what we're doing with fuzzing you can see my presentation from ApacheCon: http://www.robweir.com/blog/publications/AOOFuzzing.pdf Also, if you are really interested in this area I can help you set up a fuzzing environment. It works best if you have a machine (or a VM) your can dedicate to it for a couple of weeks . Regards, -Rob > >> I haven't read the article you linked to yet, but if your point was >> "Coverity should scan Apache OpenOffice" the answer is "This is already >> happening". >> > > Actually I meant some sort of scan, but since AOO is also scanned by > Coverity then it would be interesting to know how the two compare. > > Regards, > Pedro --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
