[sldev] Static code analysis

Rob Lanphier robla at lindenlab.com
Sun Jan 11 23:19:34 PST 2009

Previous message: [sldev] Static code analysis
Next message: [sldev] Qt/WebKit/Mozlib
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 01/11/2009 05:57 PM, Jason Giglio wrote:
> The conclusion of the thread was that Linden Lab already licensed
> Coverity internally, and they weren't going to release the results of
> the report to us.  There were some vague excuses about security or
> something, and that the open source community can't really help fix
> those kinds of bugs anyway.
>   

Coverity's tool is designed to find security vulnerabilities.  More
often than not, the problems that it finds are merely bugs that aren't
obvious holes, but since the tool is designed to find security problems,
it seems reasonable to treat the reports that it gives us the same way
we treat vulnerability reports.

We're at a stage now where it's conceivable we could open this up to a
wider audience, but that doesn't seem like a decision we're likely to
make prior to figuring out what we're doing with the early vulnerability
disclosure group:
http://jira.secondlife.com/browse/VWR-11305

One possible outcome is that we offer the results to the early
vulnerability disclosure group since we're already figuring out a
vetting process, but that's not a possibility I've discussed with anyone
else at Linden Lab.

Rob

Previous message: [sldev] Static code analysis
Next message: [sldev] Qt/WebKit/Mozlib
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list