hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

10K
active users

Cassandrich

Heads-up FOSS maintainers!

There is a person sending bulk patches/PRs to FOSS projects for supposed issues "Found by RASU JSC" (not sure if that's a static analysis tool itself, or some org).

The patches I've received are all very, VERY wrong formulatic changes, maybe even LLM-generated, doing things as stupid as replacing sprintf(s, fmt, ...) with snprintf(s, sizeof s, fmt, ...) where s has pointer type.

If you've accepted any such patches, review carefully & possibly revert!

I have tried replying to the person sending these again and again explaining why they're wrong, and he's either ignoring me or my replies are going to his spambox.

I'm not sure if he's malicious or just doesn't know what he's doing, but either way, it's dangerous af.

@dalias I used to be part of the security team for a popular FOSS product. The number of people who ran some dumb script and then wanted a bounty for their non-bugs (as flagged by the dumb script) was so high we started to filter them, directing them to a page on how to submit a PoC.

@alan This doesn't seem to be seeking bounties. It's either a genuine but horribly botched attempt to fix unsafe code, or an stochastic bug injection op.

@dalias True. Many of them didn't ask for bounties, just credit for the non-vulnerabilities.

@dalias @alan For what I have seen they are just rude, arrogant and deaf. I admire your patience. (actually I was thinking of the other fellow, spinning times)

@dalias "Rusatom Automated Control Systems (RASU) is official business integrator of comprehensive industrial automation solutions provided by State Nuclear Enegry Corporation Rosatom for the international market." Oh great...

@wakame @dalias @Velyn Now I'm reminded of the Accelerando lobsters.

@dalias FWIW: JSC is the common abbreviation for a Russian corporation.

@dalias we've received a few that haven't been terrible

@djm Have you seen the musl ones? They were sent off list but I cc'd the list & quoted on replies. All were wrong, most completely broke the functions they purported to fix. And the static analysis was erroneous.

@djm One was "this pointer is dereferenced later so return early if it's null" when the deref was conditional and not reachable if null, but where returning early made the common case completely non operational.

@djm The most dangerous part is the combination of really low quality static analysis like that with authoritative sounding "this is the fix for this issue" formulatic patches.

@dalias we didn't get any like that, they all seem to have been qualified by a human first. Also the ones we received were AFAIK all from different people

@djm @dalias I’ve been getting a steadily slow amount of reports from the USI Lugano, Switzerland, which are overall good: reports and reproducers, a request to comment, but no suggested patches, and in some cases the behaviour was expected and this led to docs improvements instead. Nice interaction, no demands.