|
Message-ID: <20191106134041.GA29158@openwall.com> Date: Wed, 6 Nov 2019 14:40:41 +0100 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com, Joe McManus <joe.mcmanus@...onical.com> Subject: Re: Contributing Back On Tue, Nov 05, 2019 at 10:43:11PM +0000, Seth Arnold wrote: > I'm uneasy reporting "I saw no further instances of this" or "I saw no > issues with this patch" because I am keenly aware that I cannot be > confident in my assessments. I'm very accustomed to pointing out problems > when I see them, so that comes easily. Besides "I saw no issues", etc. please also describe the scope of your review - e.g., "I grepped the version X.Y tree for [some pattern] and there were only two hits, which I reviewed and they look correct to me" or "I've tried applying the patch to version X.Y, building with ASan, and running the test suite on Ubuntu 19.10, and all tests passed" or even "I skimmed over this lengthy patch in 10 minutes and didn't see anything obviously wrong" (not ideal, but also not misleading). Of course, more detail (after a summary like this) would be even better - e.g., you could include code snippets for those two grep hits from my first example, which might result in others noticing issues in those. For a real-world example, here's that message Anthony sent on July 25, which is as desired in that it makes the scope clear: "We have packaged the 4.92.1 release and performed some basic testing and can confirm it works. We do not have a reproducer for this issue so I cannot confirm if the fix is correct but can confirm that the package is stable." > In any event I will do better. Thank you, Seth. Also, thank you Anthony for ack'ing my reminder (in another message). Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.