Re: [tor-dev] Source Code Static Analisys

[Matthew Finkel <matthew.finkel@xxxxxxxxx>]

On Sun, Apr 28, 2013 at 04:39:55PM -0300, Ulises CuÃÃ wrote:
> I send you a new Security Report.
> 
> Regards,
> U
> 
> 
> 2013/4/27 Nick Mathewson <nickm@xxxxxxxxxxxx>
> 
> > On Sat, Apr 27, 2013 at 7:16 PM, Ulises CuÃÃ <ulises2k@xxxxxxxxx> wrote:
> > > I want colaborate with Tor project.
> > >
> > > I send a document of analys source code about the lasted version
> >
> > Well, looks like I'm spending my evening combing through this thing
> > looking for true-positives.  If you find any that aren't
> > false-positives --- particularly security-relevant ones --- please
> > send me a gpg-encrypted mail or something.  Sending them to the
> > mailing list like this isn't so great.
> >
> > (Does the Fortify license actually let you do this? I thought most
> > tools like this were a little picky about what code you could run them
> > on, and what you could do with the results.)
> >
> > best wishes,
> > --
> > Nick

Hi Ulises,

If you really want to collaborate, there are numerous different ways you
can do it. As an outsider myself, I understand it's difficult to decide
how exactly you can help and make improvements to Tor and the Tor
ecosystem. However, providing these reports in this way really is not
the best method to establish a collaborative relationship with the project.

The devs are really friendly, as I've discovered, so in the future it
is probably best if you contact them directly (as Nick described) and
discuss any (potential) vulnerabilities you've found rather than sending
an entire list of potential vulnerabilities to an open list.

- Matt
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev