[libvirt] How about fuzz testing on oss-fuzz?

Daniel P. Berrange berrange at redhat.com
Tue May 9 09:26:07 UTC 2017 

On Tue, May 09, 2017 at 11:12:24AM +0200, Michal Privoznik wrote:
> On 05/09/2017 11:01 AM, Daniel P. Berrange wrote:
> > On Fri, Mar 31, 2017 at 10:23:33AM +0200, Peter Krempa wrote:
> >> On Fri, Mar 31, 2017 at 03:57:41 -0400, Dan wrote:
> >>> Hi all,
> >>>
> >>> I have seen libxml2 has already been added as a project in oss-fuzz [1].
> >>> Any idea about libvirt? While we could do our own fuzzing of some form, do
> >>> we want to also try it out using google's free resource?
> >>
> >> The oss-fuzz project  requires you to integrate the project with
> >> the libfuzz fuzzer in the first place so you have to make it run locally
> >> first anyways.
> >>
> >> Doing it on the oss-fuzz project is still the step after that.
> > 
> > FYI, google is now offering rewards to projects that integrate
> > with oss-fuzz
> > 
> >   "To qualify for these rewards, a project needs to have a large
> >    user base and/or be critical to global IT infrastructure. 
> >    Eligible projects will receive $1,000 for initial integration,
> >    and up to $20,000 for ideal integration (the final amount is
> >    at our discretion). You have the option of donating these 
> >    rewards to charity instead, and Google will double the amount."
> > 
> > I'd like to think libvirt qualifies under "large user base" and
> > "critical to global IT" given prevelance of the cloud these days,
> > but no guarantees
> > 
> >   https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html
> 
> Right. I've read this on G+ during the weekend. And now that we have
> accepted a student for the fuzzing GSoC project, we can work towards
> that goal.
> 
> > 
> > Not that libvirt really has any current need for monetary funds. If it ever
> > came to pass, we could just have a poll amongst active contributors to
> > vote on suggestions of what todo with it (donate it, spend it, fund something,
> > etc).
> 
> I don't know any details, but I know from the past that receiving money
> for orgs wasn't trivial (at least for GSoC). We had to have an law
> entity that covers the project. Since there was none, we donated our
> mentor money to Tor foundation. But it has changed a while ago (again,
> at least for GSoC), so maybe we are eligible to receive money after all.

Yep, just telling Google to donate it directly to a charity of our
choosing would probably end up being the simplest option from a legal
pov, as it would avoid us handling it at all.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list