[Development] Submitting Qt to oss-fuzz

Albert Astals Cid albert.astals.cid at kdab.com
Fri Aug 31 10:52:32 CEST 2018 

El divendres, 31 d’agost de 2018, a les 10:27:08 CEST, Edward Welbourne va 
escriure:
> Albert Astals Cid (30 August 2018 20:42) wrote:
> > oss-fuzz is an online fuzzing service run by Google.
> 
> Sounds useful.
> 
> > They test daily the code base and run fuzzying over it, maintaining a
> > list of open and closed bugs.
> > 
> > Found bugs are sent to a list of trusted address and kept private for
> > 90 days, then if not fixed then they become public.
> > 
> > Fixed bugs become public 30 days after being fixed.
> 
> By "fixed" do they mean "we have told them we've fixed it" or "we've
> released all currently releasing branches of Qt with fixes" ?

Fixed means "the daily bot has run again and it has found that what was wrong 
before is now fine"

> I'm
> guessing it's closer to the former than the latter.  So we have a month
> from fixing it, or perhaps from releasing *one* branch with a fix,
> within which to also release all our other live branches.  That sounds
> like it may stress our release processes.  So we have a quarter year in
> which to find a fix, then we need to orchestrate releases across all
> branches within a month; and this happens for each and every issue
> found.  That schedule is fine for Chromium, which doesn't support old
> versions or care about backwards-compatibility, but may be a poor fit
> for our more conservative processes.
> 
> So it would be better to run this *ourselves*, if we can, so that the Qt
> community has more control over how and when the results get to be
> published.

This is scarily close to the security by obscurity argument ;)

"what if we have an horrible bug, we fix it, it becomes public in 30 days and 
we've not been able yet to put out a release?"

My answer to that is, you had an horrible bug, it's fixed, that is a great 
thing, so just put and advisory out with the patch if we can't get a release 
out.

> 
> > If you want to test it locally you can do
> > 
> >     python infra/helper.py build_fuzzers --sanitizer undefined qt
> >     python infra/helper.py run_fuzzer qt qimage_fuzzer
> > 
> > for the undefined sanitizer and
> > 
> >     python infra/helper.py build_fuzzers --sanitizer address qt
> >     python infra/helper.py run_fuzzer qt qimage_fuzzer
> 
> So it *can* be used locally, without giving Google yet more power ...
> Good to know.

But you lose the daily bot runs and the free hardware. I am not sure, but i 
think the bot part is not actually free software, though i may be wrong. Also 
when i run it, it stops at the first found issue, i guess there may be a 
parameter to have it continue since the bot will find N issues in a given day.

Cheers,
  Albert

> 
> 	Eddy.


-- 
Albert Astals Cid | albert.astals.cid at kdab.com | Software Engineer
Klarälvdalens Datakonsult AB, a KDAB Group company
Tel: Sweden (HQ) +46-563-540090, USA +1-866-777-KDAB(5322)
KDAB - The Qt, C++ and OpenGL Experts

More information about the Development mailing list