Security policies for GNU toolchain projects

Posted Oct 3, 2023 14:34 UTC (Tue) by khim (subscriber, #9252)
In reply to: Security policies for GNU toolchain projects by mb
Parent article: Security policies for GNU toolchain projects

> Run a fuzzer and dump the logs into the bug tracker.
> That is useful. It is a useful report.

No. It's not. Most bug-reports filed by fuzz-diots don't include enough information to do anything with that information without conducting a lot of research. Many (most?) don't even bother describing how you can reproduce bug in question and even don't tell you what component is affected and what precise version was tested.

You have to [try to] glean that information from fuzz-diot, like you have tried to do with farnz “bugreport” but more prudent action would be to plug that disaster at the source.

> And you as the developer may choose how to handle it.
> You may analyze it. You may ignore it. You may wont-fix it. Or you may blame the reporter. etc..
> Up to you.

Since we are dealing with DoS attack the best action here is to find the host that sends them and make it stop. And that means “attacking the messenger”. Filtering out these useless “bugreports” is only the second best, but on current “woke culture” it's, often, the only option because best route is not accessible to you.

Maybe bring this to a close?

Posted Oct 3, 2023 14:57 UTC (Tue) by corbet (editor, #1) [Link]

I'm not sure that this conversation is converging on anything useful, and I would really rather not see terms like "fuzz-diots" used here. May I gently suggest that the time is coming to wind this discussion down?