lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 24 Jul 2019 11:37:12 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     David Miller <davem@...emloft.net>
Cc:     eric.dumazet@...il.com, dvyukov@...gle.com, netdev@...r.kernel.org,
        fw@...len.de, i.maximets@...sung.com, edumazet@...gle.com,
        dsahern@...il.com, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: Reminder: 99 open syzbot bugs in net subsystem

On Wed, Jul 24, 2019 at 11:12:25AM -0700, David Miller wrote:
> From: Eric Biggers <ebiggers@...nel.org>
> Date: Wed, 24 Jul 2019 09:30:14 -0700
> 
> > On Wed, Jul 24, 2019 at 08:39:05AM +0200, Eric Dumazet wrote:
> >> Some of the bugs have been fixed already, before syzbot found them.
> >> 
> >> Why force human to be gentle to bots and actually replying to them ?
> >> 
> >> I usually simply wait that syzbot is finding the bug does not repro anymore,
> >> but now if you send these emails, we will have even more pressure on us.
> >> 
> > 
> > First, based on experience, I'd guess about 30-45 of these are still valid.  17
> > were seen in mainline in the last week, but some others are valid too.  The ones
> > most likely to still be valid are at the beginning of the list.  So let's try
> > not use the presence of outdated bugs as an excuse not to fix current bugs.
> 
> So about half of the bugs we are to look at are already fixed and thus
> noise, even as estimated by you.
> 
> I agree with Eric, these "reminders" are bad for the people you
> actually want to work on fixing these bugs.

Well, the problem is that no one knows for sure which bugs are fixed and which
aren't.  To be certain, a human needs to review each bug.  A bot can only guess.

Note that the bugs in my reminders are already automatically prioritized by how
likely they are to still be valid, important, actionable.  So one simply needs
to start at the beginning of the list if they want to focus on those types of
bugs.  Isn't this helpful?

> 
> > Since the kernel community is basically in continuous bug bankruptcy and lots of
> 
> I don't like this hyperbole.  Please present facts and information we
> can actually use to improve the kernel development and bug fixing
> process.
> 

A huge number of valid open bugs are not being fixed, which is a fact.  We can
argue about what words to use to describe this situation, but it doesn't change
the situation itself.

What is your proposed solution?

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ