craigbarratt
commented
3 years ago I'm happy to discuss these issues offline. I've contacted you by email.
Open setharnold opened 3 years ago
craigbarratt
commented
3 years ago I'm happy to discuss these issues offline. I've contacted you by email.
Hello, I've been asked to review rsync-bpcas part of an Ubuntu Main Inclusion Request; it's not a full audit, just a quick look. Part of this includes running the project through Coverity. I've reviewed some of the results and while there's many false positives due to the way global storage is used, I think it's found several real results.
I didn't see any
SECURITY*files in the repo, and theREADMEdoesn't mention any security contacts. I don't think these issues are particularly sensitive and they may not even be part of rsync-bpc's threat model but I often lack imagination when it comes to attacks. I could post things to github issues, or email them to you, as you wish, please let me know.Or, you could compile rsync-bpc in Coverity's free service and get all the results. I'm pretty sure their free service has the nice interface to explore results. Marking all the false positives might be a bit of work, but I think in the long run it would pay dividends by reporting bugs before users do.
Thanks