Re: [Xen-devel] Coverity + XenProject + Process?

[Ian Campbell <Ian.Campbell@xxxxxxxxxx>]

On Fri, 2013-08-30 at 11:00 -0400, Konrad Rzeszutek Wilk wrote:
> Hey
> 
> We have a static analyzer setup for Xen called Coverity. It allows
> the code to be inspected for bugs and such.
> 
> Originally I setup this so that we could make sure that there are no
> bugs that cause security issues - and as such invited only folks
> on the security Xen mailing list.
> 
> But there are other folks who I am sure would like to contribute
> and as Coverity is pretty amazing at analyzing issues and providing
> a good idea of how to fix it - was wondering what should be the
> procedure for involving volunteers for that?

This conversation and the decision is on going to take a while.

In the meantime we (security@ or xen-devel@) have received offers of
help from Matthew Daley, Andrew Cooper and Steven Maresca. All three are
well known to us and IMHO trustworthy. Matthew and Andrew have been
involved in both disclosing and helping to resolve multiple security
issues in the past. I don't think Steven has been involved in security
disclosure stuff (apologies Steven if I've forgotten) but has none the
less been active in Xen and with various security related aspects of the
project.

Given that I would like to propose that we give all three of them access
while the policy conversation is on going.

Any objections? If so then please raise them by the end of business this
Sunday (8 September).

Ian.



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel