Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Threaded View
Hadoop >> mail # dev >> FW: Coverity Scan (MAPREDUCE-5032)

Copy link to this message
Re: Coverity Scan (MAPREDUCE-5032)
Agree with Aaron. Let's move this discussion to security@. Thanks.

On Sep 30, 2013, at 5:57 PM, Aaron T. Myers <[EMAIL PROTECTED]> wrote:

> I strongly recommend that we take this conversation over to the
> (committers-only) [EMAIL PROTECTED] mailing list. In general we
> try to follow the Apache recommendations when it comes to addressing
> security issues, which involves not publicly disclosing the vulnerability
> until there are released version(s) with the issue(s) addressed.
> Best,
> Aaron
> On Mon, Aug 26, 2013 at 8:24 PM, Jon Jarboe <[EMAIL PROTECTED]> wrote:
>> Thanks for the interest.  I'm in the process of building the 2.1.0 beta as
>> suggested by Roman.
>> Jon
>> (214) 531-3496
>>> -----Original Message-----
>>> From: Ottenheimer, Davi [mailto:[EMAIL PROTECTED]]
>>> Sent: Monday, August 26, 2013 1:11 PM
>>> Subject: RE: Coverity Scan (MAPREDUCE-5032)
>>> Perhaps open the JIRA with only a reference/link to the Coverity report,
>> and
>>> limit access to only those working on the issues.
>>> Full disclosure, update the JIRA, after fix.
>>> --
>>> Davi Ottenheimer
>>> Senior Director of Trust
>>> EMC Corporation
>>> [EMAIL PROTECTED] | @daviottenheimer | +1-415-271-6259
>>> blog: http://www.flyingpenguin.com/
>>>> -----Original Message-----
>>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
>>> Of
>>>> Roman Shaposhnik
>>>> Sent: Monday, August 26, 2013 10:50 AM
>>>> Subject: Re: Coverity Scan (MAPREDUCE-5032)
>>>> On Mon, Aug 26, 2013 at 10:43 AM, Vinod Kumar Vavilapalli
>>>> <[EMAIL PROTECTED]> wrote:
>>>>> Can you file a JIRA and attach the report there? That is the best
>>>>> way to
>>>> move this forward.
>>>> Last time I was involved in a Coverity scan was when they scanned
>>>> another project I'm committer on (FFmpeg). The lesson there was that
>>>> the value you get out of browsing on their site
>>>> https://scan.coverity.com is immeasurably higher than from any static
>>> report that can be attached to a JIRA.
>>>> Also, at least in FFmpeg's case, Coverity identified a few things that
>>>> could've been used as potential exploits so it made perfect sense to
>>>> have a white-list of project members who could get access to the
>>>> initial report instead of going all public with it to begin with
>>>> (which would happen if it just gets attached to a JIRA in its
>> entirety).
>>>> Just my 2c worth of working with them in the past.
>>>> Thanks,
>>>> Roman.

Arun C. Murthy
Hortonworks Inc.

NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.