On 01/11/2009 05:57 PM, Jason Giglio wrote: > The conclusion of the thread was that Linden Lab already licensed > Coverity internally, and they weren't going to release the results of > the report to us. There were some vague excuses about security or > something, and that the open source community can't really help fix > those kinds of bugs anyway. >
Coverity's tool is designed to find security vulnerabilities. More often than not, the problems that it finds are merely bugs that aren't obvious holes, but since the tool is designed to find security problems, it seems reasonable to treat the reports that it gives us the same way we treat vulnerability reports. We're at a stage now where it's conceivable we could open this up to a wider audience, but that doesn't seem like a decision we're likely to make prior to figuring out what we're doing with the early vulnerability disclosure group: http://jira.secondlife.com/browse/VWR-11305 One possible outcome is that we offer the results to the early vulnerability disclosure group since we're already figuring out a vetting process, but that's not a possibility I've discussed with anyone else at Linden Lab. Rob _______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/SLDev Please read the policies before posting to keep unmoderated posting privileges
