Ethereal-dev: [Ethereal-dev] Re: Coverity Open Source Defect Scan of Ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Wed, 8 Mar 2006 10:20:58 +0000
I also take offence by that stupid text in the article.

Some comment to the article lists a long list of bugs   that were all
from an advisory listing entries from reading the svn log.
Most of them were not security related at all     blindly allocating
large amounts of memory   or entering an infinite loop    is at best a
DOS   but not a security issue.


The author fails to realize the sole reason for there to be so many
entries in those advisories is that for over a year there has been
massive work doing fuzz testing,   code auditing ,   removal of unsafe
calls etc etc.
A massive focus on stability and finding and fixing bugs.

Since we spend so much time and resources on these things it is
obvious we will find many bugs   as if we didnt do any such thing.


The truth about the quality and amount of bugs can easily be seen in
the coverity logs.
Half of the entries are false positives so far.
A bug/loc value vastly below any other >1mloc project.    a bug/loc
value much better even than most small projects.

The truth about the quality and the bugs is plainly visible to anyone to see.





On 3/6/06, Gerald Combs <gerald@xxxxxxxxxxxx> wrote:
> Andreas Sikkema quoted from http://lwn.net/Articles/174426/ :
>
> > "On the other hand, ethereal shows a very low defect rate, which can be
> > hard to square with the long list of security advisories from that
> > project."
>
> <rant>
> How is this hard to square?  I (and others) have been busting our
> collective asses over the past year or so to find and fix security
> defects in Ethereal.  Both the low defect rate _and_ the long list of
> advisories are a direct result of this.  Sheesh.
> </rant>
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>