| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALx_OUB=JxYUBE+oPVk+6eTqqv=K9gVNuKj8c6ktav=ToAxPfg@mail.gmail.com> Date: Sun, 19 Apr 2015 17:31:02 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: noloader@...il.com Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>, bugtraq <bugtraq@...urityfocus.com> Subject: Re: [FD] several issues in SQLite (+ catching up on several other bugs) > Clang and its analyzers found a number of issues a couple of years > ago. As far as I know, the results were dismissed. See "Clang 3.3 and > Scan-Build results", Well, I can kinda sympathize. Somebody took one of my OSS projects (p0f) and ran it through a static analyzer a while ago (the analyzer shall remain nameless, but was one of the major ones). The results were just pages and pages of nonsensical findings, interspersed with non-specific style recommendations. An experience like that can quickly divide developers into two camps: the "not sure, but let me spend a week to address everything, just in case" one, and the "show me faulting test cases or get lost" bunch. I've heard it summed up this way: when a particular check is stable and reliable enough to be actually useful to most developers, it stops being called "static analysis" and becomes a "standard compiler warning" =) /mz _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists