You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-dev@hadoop.apache.org by "Aaron T. Myers" <at...@apache.org> on 2013/10/01 02:57:24 UTC
Re: Coverity Scan (MAPREDUCE-5032)
I strongly recommend that we take this conversation over to the
(committers-only) security@hadoop.apache.org mailing list. In general we
try to follow the Apache recommendations when it comes to addressing
security issues, which involves not publicly disclosing the vulnerability
until there are released version(s) with the issue(s) addressed.
Best,
Aaron
On Mon, Aug 26, 2013 at 8:24 PM, Jon Jarboe <jj...@coverity.com> wrote:
> Thanks for the interest. I'm in the process of building the 2.1.0 beta as
> suggested by Roman.
>
> Jon
> (214) 531-3496
>
>
> > -----Original Message-----
> > From: Ottenheimer, Davi [mailto:Davi.Ottenheimer@emc.com]
> > Sent: Monday, August 26, 2013 1:11 PM
> > To: common-dev@hadoop.apache.org
> > Subject: RE: Coverity Scan (MAPREDUCE-5032)
> >
> > Perhaps open the JIRA with only a reference/link to the Coverity report,
> and
> > limit access to only those working on the issues.
> >
> > Full disclosure, update the JIRA, after fix.
> >
> > --
> > Davi Ottenheimer
> > Senior Director of Trust
> > EMC Corporation
> > davi.ottenheimer@emc.com | @daviottenheimer | +1-415-271-6259
> > blog: http://www.flyingpenguin.com/
> >
> >
> > > -----Original Message-----
> > > From: shaposhnik@gmail.com [mailto:shaposhnik@gmail.com] On Behalf
> > Of
> > > Roman Shaposhnik
> > > Sent: Monday, August 26, 2013 10:50 AM
> > > To: common-dev@hadoop.apache.org
> > > Subject: Re: Coverity Scan (MAPREDUCE-5032)
> > >
> > > On Mon, Aug 26, 2013 at 10:43 AM, Vinod Kumar Vavilapalli
> > > <vi...@apache.org> wrote:
> > > >
> > > > Can you file a JIRA and attach the report there? That is the best
> > > > way to
> > > move this forward.
> > >
> > > Last time I was involved in a Coverity scan was when they scanned
> > > another project I'm committer on (FFmpeg). The lesson there was that
> > > the value you get out of browsing on their site
> > > https://scan.coverity.com is immeasurably higher than from any static
> > report that can be attached to a JIRA.
> > >
> > > Also, at least in FFmpeg's case, Coverity identified a few things that
> > > could've been used as potential exploits so it made perfect sense to
> > > have a white-list of project members who could get access to the
> > > initial report instead of going all public with it to begin with
> > > (which would happen if it just gets attached to a JIRA in its
> entirety).
> > >
> > > Just my 2c worth of working with them in the past.
> > >
> > > Thanks,
> > > Roman.
> >
>
>
>
Re: Coverity Scan (MAPREDUCE-5032)
Posted by Arun C Murthy <ac...@hortonworks.com>.
Agree with Aaron. Let's move this discussion to security@. Thanks.
On Sep 30, 2013, at 5:57 PM, Aaron T. Myers <at...@apache.org> wrote:
> I strongly recommend that we take this conversation over to the
> (committers-only) security@hadoop.apache.org mailing list. In general we
> try to follow the Apache recommendations when it comes to addressing
> security issues, which involves not publicly disclosing the vulnerability
> until there are released version(s) with the issue(s) addressed.
>
> Best,
> Aaron
>
>
> On Mon, Aug 26, 2013 at 8:24 PM, Jon Jarboe <jj...@coverity.com> wrote:
>
>> Thanks for the interest. I'm in the process of building the 2.1.0 beta as
>> suggested by Roman.
>>
>> Jon
>> (214) 531-3496
>>
>>
>>> -----Original Message-----
>>> From: Ottenheimer, Davi [mailto:Davi.Ottenheimer@emc.com]
>>> Sent: Monday, August 26, 2013 1:11 PM
>>> To: common-dev@hadoop.apache.org
>>> Subject: RE: Coverity Scan (MAPREDUCE-5032)
>>>
>>> Perhaps open the JIRA with only a reference/link to the Coverity report,
>> and
>>> limit access to only those working on the issues.
>>>
>>> Full disclosure, update the JIRA, after fix.
>>>
>>> --
>>> Davi Ottenheimer
>>> Senior Director of Trust
>>> EMC Corporation
>>> davi.ottenheimer@emc.com | @daviottenheimer | +1-415-271-6259
>>> blog: http://www.flyingpenguin.com/
>>>
>>>
>>>> -----Original Message-----
>>>> From: shaposhnik@gmail.com [mailto:shaposhnik@gmail.com] On Behalf
>>> Of
>>>> Roman Shaposhnik
>>>> Sent: Monday, August 26, 2013 10:50 AM
>>>> To: common-dev@hadoop.apache.org
>>>> Subject: Re: Coverity Scan (MAPREDUCE-5032)
>>>>
>>>> On Mon, Aug 26, 2013 at 10:43 AM, Vinod Kumar Vavilapalli
>>>> <vi...@apache.org> wrote:
>>>>>
>>>>> Can you file a JIRA and attach the report there? That is the best
>>>>> way to
>>>> move this forward.
>>>>
>>>> Last time I was involved in a Coverity scan was when they scanned
>>>> another project I'm committer on (FFmpeg). The lesson there was that
>>>> the value you get out of browsing on their site
>>>> https://scan.coverity.com is immeasurably higher than from any static
>>> report that can be attached to a JIRA.
>>>>
>>>> Also, at least in FFmpeg's case, Coverity identified a few things that
>>>> could've been used as potential exploits so it made perfect sense to
>>>> have a white-list of project members who could get access to the
>>>> initial report instead of going all public with it to begin with
>>>> (which would happen if it just gets attached to a JIRA in its
>> entirety).
>>>>
>>>> Just my 2c worth of working with them in the past.
>>>>
>>>> Thanks,
>>>> Roman.
>>>
>>
>>
>>
--
Arun C. Murthy
Hortonworks Inc.
http://hortonworks.com/
--
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.