lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 04 Jan 2018 09:23:58 -0600
From:   ebiederm@...ssion.com (Eric W. Biederman)
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     Pavel Machek <pavel@....cz>, Mike Galbraith <efault@....de>,
        LKML <linux-kernel@...r.kernel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: LKML admins (syzbot emails are not delivered)

Dmitry Vyukov <dvyukov@...gle.com> writes:

> Hi Pavel,
>
> I've answered this question here in full detail. In short, this is
> useful and actionable.
> https://groups.google.com/d/msg/syzkaller/2nVn_XkVhEE/GjjfISejCgAJ

*Snort*

If the information to solve an issue is not in the Oops syzbot is
useless.

The Oops isn't even mailed in plain text so I have to save the stupid
thing in a file to see the full text of the problem.

Further there is no place in the syzbot process to test fixes.

Then there is the issue of testing linux-next and reporting errors on
who knows what code configuration against code that hasn't changed in
linux-next.   Which presumably any sane person would assume the errors
are introduced by some other piece of new code.  But syzbot goes and
spams the people who wrote the function where the code is failing.

Bots can work.  We have all of the automatic testing infrastructure
against everyone's branches on kernel.org to prove it.

syzbot finds weird errors, so that makes the problem space more
difficult to deal with.

Still I compleltely don't see the people behind syzbot presumably you
Dmitry taking responsibility for syzbot failings.  Instead I see excuses
like you don't completely control some part of the code that syzbot is
built on so can't fix practical real world issues.  Like Content-type.

Bots can be the most horrible thing for a code base.  If there is not
someone or something going through an filtering out the false positives.
If there is not a process to ensure that issues are brought to the
proper peoples attention so things get fixed.  Bots can be completely
demoralizing or possibily desensitizing because you keep seeing issues,
and nothing you do ever makes the issues go away.

Given that no one seems to take any responsibility for syzbots failures
of any kind.  Not content-type in the emails.  Not the body of the
message (which has a massive disclaimer).  I don't find syzbot at all
useful.

Tools are for people, in this case kernel programmers.  syzbot has
serious usability issues.  That makes syzbot a bad tool.

Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ