Jon Jarboe 2013-08-26, 15:21
Roman Shaposhnik 2013-08-26, 16:12
Vinod Kumar Vavilapalli 2013-08-26, 17:43
Roman Shaposhnik 2013-08-26, 17:50
Jon Jarboe 2013-08-26, 18:16
Ottenheimer, Davi 2013-08-26, 18:11
Jon Jarboe 2013-08-26, 18:24
Aaron T. Myers 2013-10-01, 00:57
-Re: Coverity Scan (MAPREDUCE-5032)
Arun C Murthy 2013-10-02, 04:00
Agree with Aaron. Let's move this discussion to security@. Thanks.
On Sep 30, 2013, at 5:57 PM, Aaron T. Myers <[EMAIL PROTECTED]> wrote:
> I strongly recommend that we take this conversation over to the
> (committers-only) [EMAIL PROTECTED] mailing list. In general we
> try to follow the Apache recommendations when it comes to addressing
> security issues, which involves not publicly disclosing the vulnerability
> until there are released version(s) with the issue(s) addressed.
> On Mon, Aug 26, 2013 at 8:24 PM, Jon Jarboe <[EMAIL PROTECTED]> wrote:
>> Thanks for the interest. I'm in the process of building the 2.1.0 beta as
>> suggested by Roman.
>> (214) 531-3496
>>> -----Original Message-----
>>> From: Ottenheimer, Davi [mailto:[EMAIL PROTECTED]]
>>> Sent: Monday, August 26, 2013 1:11 PM
>>> To: [EMAIL PROTECTED]
>>> Subject: RE: Coverity Scan (MAPREDUCE-5032)
>>> Perhaps open the JIRA with only a reference/link to the Coverity report,
>>> limit access to only those working on the issues.
>>> Full disclosure, update the JIRA, after fix.
>>> Davi Ottenheimer
>>> Senior Director of Trust
>>> EMC Corporation
>>> [EMAIL PROTECTED] | @daviottenheimer | +1-415-271-6259
>>> blog: http://www.flyingpenguin.com/
>>>> -----Original Message-----
>>>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
>>>> Roman Shaposhnik
>>>> Sent: Monday, August 26, 2013 10:50 AM
>>>> To: [EMAIL PROTECTED]
>>>> Subject: Re: Coverity Scan (MAPREDUCE-5032)
>>>> On Mon, Aug 26, 2013 at 10:43 AM, Vinod Kumar Vavilapalli
>>>> <[EMAIL PROTECTED]> wrote:
>>>>> Can you file a JIRA and attach the report there? That is the best
>>>>> way to
>>>> move this forward.
>>>> Last time I was involved in a Coverity scan was when they scanned
>>>> another project I'm committer on (FFmpeg). The lesson there was that
>>>> the value you get out of browsing on their site
>>>> https://scan.coverity.com is immeasurably higher than from any static
>>> report that can be attached to a JIRA.
>>>> Also, at least in FFmpeg's case, Coverity identified a few things that
>>>> could've been used as potential exploits so it made perfect sense to
>>>> have a white-list of project members who could get access to the
>>>> initial report instead of going all public with it to begin with
>>>> (which would happen if it just gets attached to a JIRA in its
>>>> Just my 2c worth of working with them in the past.
Arun C. Murthy
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.