Re: Reporting 1.2K crashes
On Tue, Jun 25, 2013 at 11:38 AM, Marc Haber
> Will you also check Debian unstable? It is much easier to have a
> package in unstable fixed, and I suspect that not every crash you find
> will be a security relevant one.
We actually already did :) We re-ran all the crashes on debian
unstable. This means that all the crashes we are going to report have
been confirmed on the latest packages from debian unstable.
> Additionally, I guess that the vast majority of crahes you have found
> will be upstream bugs which the Debian maintainer would have to
> forward upstream. Will you take efforts to report these bugs to
> upstream as well?
Yes. Bugs will be reported upstream first. After two weeks, we will
re-ran the crashes on the latest packages from Debian unstable.
Hopefully, the upstream developers will had time to update packages
with a fix. If the crash still exists, then we will go ahead and
submit a report to the Debian BTS.
> Will you check distributions other than Debian, and how will you make
> sure that the upstreams are no swamped with identical bug reports from
> each of their downstream distributions?
We might check distributions other than Debian in the near future,
and, as you pointed out, we need to be careful not to report duplicate
bugs. Avoiding duplicate reports has been one of our main goal. That
is why we are reporting only one bug per binary, and at most 5 crashes
per package. We are still thinking about how to minimize duplicate
reports across distributions. One idea would be to limit the number of
"open" bug report to 1 per upstream. When the bug is marked as fixed,
we analyze the patched binary with Mayhem, and potentially report a
new bug if a crash is found.
The Mayhem Team
Cylab, Carnegie Mellon Univeristy