[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Calysto v1.5 reports on openldap_v2.4.4alpha

On Aug 21, 2007, at 1:27 AM, Pierangelo Masarati wrote:

Domagoj Babic wrote:

Ok, thank you a bunch for the clarification.

This might be especially relevant to buffer overrun checking


However, Kurt, on the behalf of the OpenLDAP Foundation, explicitly
stated that the foundation is not interested in having the code
statically checked, so I won't be sending reports (except for one
more I have already generated).

I don't think he said exactly that.

He's (mis)characterizing what I said in a private email. I have separately posted clarification.

I believe he said the project is
not interested in receiving plain reports just for the purpose of
debugging Calysto (nothing personal: only, we're just a few volunteers,
and we cannot dedicate too much time in reviewing reports potentially
filled by false positives). If you put some effort in separating what
could be critical from what isn't likely, any report would be welcome.

I think is your mistake to some extent my earlier public comments. In particular, I was speaking then as an individual. I stated what I, personally, was interested in. Others may have different interests than myself. It was not my intent, in those emails, to speak for collectively for the Project. I leave that to Howard.

For example, I'm reviewing your initial submission and, apart from
what's directly related to the clients, there are a couple of reports
that may require some action. I'll post about my findings later, on a
private basis. Only, I'm not going to do this routinely and too often.

Once Calysto becomes publicaly available, you might actually get in a
position where other people will be capable of finding exploits
automatically --- every great technology has its dark side :-)

I know. That's why I'm not going to entirely decline the reports you offered to submit.

As I noted in the recent message I sent clarifying the Foundation's recent action, it was the strings attached to his future reports that were declined.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it