[Python-Dev] About "Coverity Study Ranks LAMP Code Quality"
"Martin v. Löwis"
martin at v.loewis.de
Wed Mar 15 10:00:30 CET 2006
Alexander Schremmer wrote:
>>I can understand that position. The bugs they find include potential
>>security flaws, for which exploits could be created if the results are
>>freely available.
>
>
> On the other hand, the exploit could be crafted based on reading the SVN
> check-ins ...
Sure. However, at that point, the bug is fixed (atleast in SVN);
crackers need to act comparatively fast then to exploit it. OTOH, if
only the report was available, the project might not take any action
for some time, increasing the risk of an exploit.
Only telling the developers is an established tradition for
security-relevant bugs, and a reasonable one IMO.
Regards,
Martin
More information about the Python-Dev
mailing list