On Aug 21, 2007, at 1:27 AM, Pierangelo Masarati wrote:
Domagoj Babic wrote:
Ok, thank you a bunch for the clarification.
This might be especially relevant to buffer overrun checking
exactly
However, Kurt, on the behalf of the OpenLDAP Foundation, explicitly stated that the foundation is not interested in having the code statically checked, so I won't be sending reports (except for one more I have already generated).
I don't think he said exactly that.
I believe he said the project is
not interested in receiving plain reports just for the purpose of
debugging Calysto (nothing personal: only, we're just a few volunteers,
and we cannot dedicate too much time in reviewing reports potentially
filled by false positives). If you put some effort in separating what
could be critical from what isn't likely, any report would be welcome.
For example, I'm reviewing your initial submission and, apart from
what's directly related to the clients, there are a couple of reports
that may require some action. I'll post about my findings later, on a
private basis. Only, I'm not going to do this routinely and too often.
Once Calysto becomes publicaly available, you might actually get in a position where other people will be capable of finding exploits automatically --- every great technology has its dark side :-)
I know. That's why I'm not going to entirely decline the reports you offered to submit.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------