tmshort
commented
10 months ago Not worried about Fuzz
Closed tmshort closed 10 months ago
tmshort
commented
10 months ago Not worried about Fuzz
richsalz
commented
10 months ago Not worried about Fuzz
Is this something we should care about? I'm probably fine with either answer, but would like to know why it's an issue.
kaduk
commented
10 months ago Not worried about Fuzz
Is this something we should care about? I'm probably fine with either answer, but would like to know why it's an issue.
clang-15: error: unsupported option '--with-fuzzer-lib=/usr/lib/libFuzzingEngine' seems to say that the clang available doesn't support libfuzzer. But that's a pretty modern clang, and libfuzzer is also a LLVM project, so that's kind of weird. Googling for that flag doesn't find much other than "how to fuzz openssl" postings, but I do wonder if perhaps it needs the C++ driver rather than the C driver.
Anyway, to answer the question, we would probably prefer to have the fuzzers running, but openssl itself is also supposed to be running them, and IIRC we haven't updated the fuzzers' test recipes to attempt to engage any of our QUIC code, so we wouldn't be getting particular benefit from them other than testing stock openssl's code. So, we should care, but not very urgently.
baparham
commented
10 months ago Are tags going to be created for these new versions once they are merged? what about existing missing tags like 3.0.11 that have been merged for a few weeks?
tmshort
commented
10 months ago Are tags going to be created for these new versions once they are merged? what about existing missing tags like 3.0.11 that have been merged for a few weeks?
I will do it soon (possibly this week).
Checklist