[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] Contributing Back

On Tue, Nov 05, 2019 at 10:43:11PM +0000, Seth Arnold wrote:
> I'm uneasy reporting "I saw no further instances of this" or "I saw no
> issues with this patch" because I am keenly aware that I cannot be
> confident in my assessments. I'm very accustomed to pointing out problems
> when I see them, so that comes easily.

Besides "I saw no issues", etc. please also describe the scope of your
review - e.g., "I grepped the version X.Y tree for [some pattern] and
there were only two hits, which I reviewed and they look correct to me"
or "I've tried applying the patch to version X.Y, building with ASan,
and running the test suite on Ubuntu 19.10, and all tests passed" or
even "I skimmed over this lengthy patch in 10 minutes and didn't see
anything obviously wrong" (not ideal, but also not misleading).  Of
course, more detail (after a summary like this) would be even better -
e.g., you could include code snippets for those two grep hits from my
first example, which might result in others noticing issues in those.

For a real-world example, here's that message Anthony sent on July 25,
which is as desired in that it makes the scope clear:

"We have packaged the 4.92.1 release and performed some basic testing and
can confirm it works.  We do not have a reproducer for this issue so I
cannot confirm if the fix is correct but can confirm that the package is

> In any event I will do better.

Thank you, Seth.  Also, thank you Anthony for ack'ing my reminder (in
another message).