As I am not familiar with the structure of your mailing lists and also
can't give a meaningful estimate of the ratio of normal bugs to
security issues we will find, I will only provide the following
general points of information on OSS-Fuzz:
* By design, fuzzing produces little to no false positiv
+1 for oss fuzz. Fabian also got in contact a few days earlier, and asked me
about using it with Commons Imaging. I told him it had to be discussed here
first, but that I thought it could be useful (we are parsing several image file
formats, probably a few things could be improved).
As for th
Le mar. 13 avr. 2021 à 18:21, Avijit Basak a écrit :
>
> Hi
>
> Please find my comments below.
>
> >> I don't follow the distinction "prod" vs "non-prod".
> -- Actually in Prod we really need a very high performing system. So
> use of implicit parallelism in spark would help us to a
Please don't use @security for automated emails, that ML IMO should be for
humans.
If you want to setup a new ML for bots that's fine, we can direct GitHub's
Dependanot emails there if GitHub allows for that.
Gary
On Tue, Apr 13, 2021, 12:57 Mark Thomas wrote:
> On 13/04/2021 17:49, Stefan Bod
On 13/04/2021 17:49, Stefan Bodewig wrote:
Fabian has offered to set up OSS Fuzz for Compress. Given that the
issues OSS Fuzz detects may or may not be security sensitive, I don't
feel it would be a good idea to have the tool send reports to a public
mailing list. Therefore I propose to create
Hi all
I want to pick up (and finish) the discussion that started in
Compress[1].
Short Recap:
OSS Fuzz[2] runs fuzz testing for open source projects by invoking
methods of our code with random data looking for unexpected outcomes
(undeclared exceptions or worse code that never retu
Hi
Please find my comments below.
>> I don't follow the distinction "prod" vs "non-prod".
-- Actually in Prod we really need a very high performing system. So
use of implicit parallelism in spark would help us to achieve it. But for
other types of work like POC or R&D we may not ne
Hello.
Le lun. 12 avr. 2021 à 17:21, Avijit Basak a écrit :
>
> Hi
>
> Sorry for the delayed response. Thanks for your patience. Please
> find my comments below:
>
> (1) Why not Spark? [At least post over there (?).]
> --We can move to Spark. But it will be very much useful if th
Hello Gary,
I had a look at this one and I was able to reproduce this. Based on my reading
of the code and what it does, IMO, this is a JDK issue. Since this was
previously raised and reported in this list here[1] and a JDK issue was created
https://bugs.openjdk.java.net/browse/JDK-8262108, I d
