I strongly recommend that we take this conversation over to the
(committers-only) [EMAIL PROTECTED] mailing list. In general we
try to follow the Apache recommendations when it comes to addressing
security issues, which involves not publicly disclosing the vulnerability
until there are released version(s) with the issue(s) addressed.
On Mon, Aug 26, 2013 at 8:24 PM, Jon Jarboe <[EMAIL PROTECTED]> wrote:
> Thanks for the interest. I'm in the process of building the 2.1.0 beta as
> suggested by Roman.
> (214) 531-3496
> > -----Original Message-----
> > From: Ottenheimer, Davi [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, August 26, 2013 1:11 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: Coverity Scan (MAPREDUCE-5032)
> > Perhaps open the JIRA with only a reference/link to the Coverity report,
> > limit access to only those working on the issues.
> > Full disclosure, update the JIRA, after fix.
> > --
> > Davi Ottenheimer
> > Senior Director of Trust
> > EMC Corporation
> > [EMAIL PROTECTED] | @daviottenheimer | +1-415-271-6259
> > blog: http://www.flyingpenguin.com/
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
> > Of
> > > Roman Shaposhnik
> > > Sent: Monday, August 26, 2013 10:50 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Coverity Scan (MAPREDUCE-5032)
> > >
> > > On Mon, Aug 26, 2013 at 10:43 AM, Vinod Kumar Vavilapalli
> > > <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Can you file a JIRA and attach the report there? That is the best
> > > > way to
> > > move this forward.
> > >
> > > Last time I was involved in a Coverity scan was when they scanned
> > > another project I'm committer on (FFmpeg). The lesson there was that
> > > the value you get out of browsing on their site
> > > https://scan.coverity.com is immeasurably higher than from any static
> > report that can be attached to a JIRA.
> > >
> > > Also, at least in FFmpeg's case, Coverity identified a few things that
> > > could've been used as potential exploits so it made perfect sense to
> > > have a white-list of project members who could get access to the
> > > initial report instead of going all public with it to begin with
> > > (which would happen if it just gets attached to a JIRA in its
> > >
> > > Just my 2c worth of working with them in the past.
> > >
> > > Thanks,
> > > Roman.