lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 9 May 2019 15:55:32 +0100
From:   Colin Ian King <colin.king@...onical.com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     Tony Luck <tony.luck@...el.com>, Qiuxu Zhuo <qiuxu.zhuo@...el.com>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        James Morse <james.morse@....com>, linux-edac@...r.kernel.org,
        kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] EDAC, sb_edac: remove redundant update of tad_base

On 09/05/2019 15:41, Borislav Petkov wrote:
> On Thu, May 09, 2019 at 03:29:42PM +0100, Colin Ian King wrote:
>> These are the Coverity static analysis warning/error message
>> classifications.  Tagging them should be useful for several reasons:
>>
>> 1. We can classify the types of issues being fixed
>> 2. We can see how many issues are being found/fixed with the use of
>> static analysis tools like Coverity
> 
> Who's "We"?

Well, I'm assuming folk who are using Coverity and folk who like
tracking bug stats.

> 
>> 3. It provides some context on how these bugs were being found.
> 
> I figured as much but I have more questions:
> 
> * you say "tools like Coverity" but the name Coverity is in the tag.
> So another tool would want to add its own tag. Which begs the second
> question:
> 
> * has it ever been discussed and/or agreed upon all those "tools" tags?
> 
> Because we remove internal tags which have no bearing on the upstream
> kernel. When I see that tag, how can I find out what it means? Can I run
> coverity myself?

Synopsis provide CoverityScan which can be used for free. There are
several instances of projects on the scan website that are analyzing the
kernel, for example:

https://scan.coverity.com/projects/linux
https://scan.coverity.com/projects/linux-next-weekly-scan

> 
> Lemme dig another one:
> 
> Addresses-Coverity-ID: 744899 ("Missing break in switch")
> 
> Where do I look up that ID?

https://scan.coverity.com/projects/linux

> 
> And so on...
> 
> Bottom line of what I'm trying to say is, those tags better be useful to
> the general kernel audience - that means, they should be documented so
> that people can look them up - or better not be in commit messages at
> all.

Yep, I agree, but explaining all the Coverity error types in a kernel
doc is going to take some effort, which I really don't have much time
for at the moment.

> 
> Thx.
> 

Colin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ