[libvirt] How about fuzz testing on oss-fuzz?
Daniel P. Berrange
berrange at redhat.com
Tue May 9 09:26:07 UTC 2017
On Tue, May 09, 2017 at 11:12:24AM +0200, Michal Privoznik wrote:
> On 05/09/2017 11:01 AM, Daniel P. Berrange wrote:
> > On Fri, Mar 31, 2017 at 10:23:33AM +0200, Peter Krempa wrote:
> >> On Fri, Mar 31, 2017 at 03:57:41 -0400, Dan wrote:
> >>> Hi all,
> >>>
> >>> I have seen libxml2 has already been added as a project in oss-fuzz [1].
> >>> Any idea about libvirt? While we could do our own fuzzing of some form, do
> >>> we want to also try it out using google's free resource?
> >>
> >> The oss-fuzz project requires you to integrate the project with
> >> the libfuzz fuzzer in the first place so you have to make it run locally
> >> first anyways.
> >>
> >> Doing it on the oss-fuzz project is still the step after that.
> >
> > FYI, google is now offering rewards to projects that integrate
> > with oss-fuzz
> >
> > "To qualify for these rewards, a project needs to have a large
> > user base and/or be critical to global IT infrastructure.
> > Eligible projects will receive $1,000 for initial integration,
> > and up to $20,000 for ideal integration (the final amount is
> > at our discretion). You have the option of donating these
> > rewards to charity instead, and Google will double the amount."
> >
> > I'd like to think libvirt qualifies under "large user base" and
> > "critical to global IT" given prevelance of the cloud these days,
> > but no guarantees
> >
> > https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html
>
> Right. I've read this on G+ during the weekend. And now that we have
> accepted a student for the fuzzing GSoC project, we can work towards
> that goal.
>
> >
> > Not that libvirt really has any current need for monetary funds. If it ever
> > came to pass, we could just have a poll amongst active contributors to
> > vote on suggestions of what todo with it (donate it, spend it, fund something,
> > etc).
>
> I don't know any details, but I know from the past that receiving money
> for orgs wasn't trivial (at least for GSoC). We had to have an law
> entity that covers the project. Since there was none, we donated our
> mentor money to Tor foundation. But it has changed a while ago (again,
> at least for GSoC), so maybe we are eligible to receive money after all.
Yep, just telling Google to donate it directly to a charity of our
choosing would probably end up being the simplest option from a legal
pov, as it would avoid us handling it at all.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list