search

pymupdf / PyMuPDF

PyMuPDF is a high performance Python library for data extraction, analysis, conversion & manipulation of PDF (and other) documents.
https://pymupdf.readthedocs.io
GNU Affero General Public License v3.0
4.52k stars 446 forks source link

OSS-Fuzz Integration #3556

Closed ennamarie19 closed 2 weeks ago

ennamarie19 commented 3 weeks ago

My name is McKenna Dallmeyer and I would like to submit PyMuPDF to OSS-Fuzz.

If you are not familiar with the project, OSS-Fuzz is Google's platform for continuous fuzzing of Open Source Software.

In order to get the most out of this program, it would be greatly beneficial to be able to merge-in my fuzz harness and build scripts into the upstream repository and contribute bug fixes if they come up. Is this something that you would support me putting the effort into?

Thank you!

JorjMcKie commented 3 weeks ago

@ennamarie19 thank you for your interest in and consideration of PyMuPDF! We would certainly welcome to have this type of additional testing of aspects of PyMuPDF. However, we would also like to point out certain general conditions of our position:

We are looking forward to hear from you!

ennamarie19 commented 3 weeks ago

@ennamarie19 thank you for your interest in and consideration of PyMuPDF!

We would certainly welcome to have this type of additional testing of aspects of PyMuPDF.

However, we would also like to point out certain general conditions of our position:

  • Generating PyMuPDF for all current Python versions, and for a considerable number OS platforms, already makes this a highly complex process - an app in itself.

We do not want to inject further complications, for example by incorporating more package generation alternatives.

  • But we would definitely be willing to fix any issues you may detect or, respectively accept corresponding PRs.

In this context, please be aware that we need your acceptance of our Artifex Contributor License Agreement, downloadable from here. So, when you submit your first PR, we will expect an accompanying statement like "I have read and herewith accept the Artifex CLA". Subsequent submissions will automatically confirm the existence of this approval.

We are looking forward to hear from you!

Certainly! Thank you for passing along that guidance. I just need a good email address from you that I can include with the submission to OSS-Fuzz so that you are kept informed of findings from the fuzz tests. Could you share that with me please?

Thanks so much for your interest!

JorjMcKie commented 3 weeks ago

Hi @ennamarie19 - thank your for your prompt reaction! I am hesitant what would be the best email address for that purpose. To keep this not attached to a single person, probably supprt@artifex.com would be the best choice. This however does not represent an existing GitHub user - although all PyMuPDF maintainers would be informed by any incoming mail. If a GitHub user is in fact needed, you may want to just use mine, jorj.x.mckie@outlook.de.

ennamarie19 commented 3 weeks ago

Hi @ennamarie19 - thank your for your prompt reaction!

I am hesitant what would be the best email address for that purpose. To keep this not attached to a single person, probably supprt@artifex.com would be the best choice. This however does not represent an existing GitHub user - although all PyMuPDF maintainers would be informed by any incoming mail.

If a GitHub user is in fact needed, you may want to just use mine, jorj.x.mckie@outlook.de.

Thank you so much! I'll submit the distribution email and if you'd like it to be changed, just let me know! This is just for email notifications that will point you to the portal that you'll eventually gain access to in order to view any vulnerabilities that may pop up. So I think the collective email would be best for this!

jamie-lemon commented 3 weeks ago

Please note - it is support@artifex.com just in case you copy and paste the email above which had dropped the "o" :)

JorjMcKie commented 2 weeks ago

Close as completed because the approach has been arranged.