Reactivate xz#11805
Conversation
|
thesamesam is integrating a new project: |
|
I have no idea about ae9dd26 fwiw, other than being confident that it's not caught up in this - i.e. I have no association with LZMA SDK / 7zip (totally distinct project from xz) development at all. As such, if y'all want to handle it in a separate PR, that's fine, but I'm probably not the person to drive that. I don't know who should be contacted to get it re-activated though. As far as I'm concerned, it was a bystander victim here in the end (not saying the revert was unreasonable or anything, just where we are now). Let me know what's best. Thanks! |
thesamesam
force-pushed
the
revive-xz
branch
2 times, most recently
from
ec4d23d to
b81d08f
Compare
|
I'm happy to let @thesamesam handle the fuzzing related communication. Thanks! :-) |
| - afl | ||
| - honggfuzz | ||
| - libfuzzer | ||
|
|
There was a problem hiding this comment.
Is this project even maintained at all? I don't see any activity for the last 5 years. For example:
- https://bugs.chromium.org/p/oss-fuzz/issues/list?q=proj%3Alzma&can=1 had only bugs reported in 2019, some of them fixed in the same year, but others, such as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13995&q=proj%3Alzma&can=1 were left unfixed.
- https://github.com/fancycode/lzma-fuzz hasn't seen any commit since 2019 either.
Not sure what is best to be done here, but maybe @fancycode could be asked to sign off on re-adding the project?
There was a problem hiding this comment.
A great question which I have no idea how to answer. LZMA SDK is definitely maintained upstream but it doesn't look like it's had any attention for oss-fuzz in the last few years.
Should I split the LZMA SDK parts into a separate PR, or leave it entirely? I don't have any association with that project, so not sure if I'm the best person to do that. I just felt bad that they got caught up in the crossfire.
@fancycode What do you think?
There was a problem hiding this comment.
@Larhzu maybe we can ask Igor about it although not sure if he has a Google account..
There was a problem hiding this comment.
In the meantime, I think I should just drop those parts from this PR, as it seems kind of open-ended as I'm not sure what the outcome will be there.
There was a problem hiding this comment.
A great question which I have no idea how to answer. LZMA SDK is definitely maintained upstream but it doesn't look like it's had any attention for oss-fuzz in the last few years.
Should I split the LZMA SDK parts into a separate PR, or leave it entirely? I don't have any association with that project, so not sure if I'm the best person to do that. I just felt bad that they got caught up in the crossfire.
@fancycode What do you think?
@thesamesam Thanks for the heads up! Feel free to put the LZMA SDK parts in a separate PR. While this indeed was not maintained recently, I just started again, will upgrade to the latest SDK version in fancycode/lzma-fuzz#4 and will try to keep this up to date better in the future. Having the SDK check integrated in CI should help.
There was a problem hiding this comment.
I guess it makes most sense if the project is re-added in a separate pull request, so that the oss-fuzz maintainers can evaluate the projects separately.
Another thing I noticed: The primary_contact: ipavlov@users.sourceforge.net email is not reachable, because the email seems to bounce, so when re-submitting this project, it could make sense to adjust the email.
|
Thanks @thesamesam. |
|
@DonggeLiu No problem, thanks for the review. I will do now. I wasn't sure if I should handle it given I was just reverting, but let's do it. Gimme a sec.. |
This reverts commit 1bb8ea7. The malicious test files have been removed from the git repository in upstream commit e93e13c8b3bec925c56e0c0b675d8000a0f7f754. For xz-java, it was clean to begin with. For xz itself, it's now clean in master. I have also fixed the copyright headers in this commit.
Per https://tukaani.org/, we have: > The XZ projects were moved to their own website on xz.tukaani.org in January 2024 > and back here in their original location in April 2024. > The xz.tukaani.org links don’t work anymore.
xz has dropped IFUNC support in master, see upstream commits 689ae2427342a2ea1206eb5ca08301baf410e7e0 and 986865ea2f9d1f8dbef4a130926df106b0f6d41a. This reverts commit d2e42b2.
Per https://tukaani.org/, we have: > The XZ projects were moved to their own website on xz.tukaani.org in January 2024 > and back here in their original location in April 2024. > The xz.tukaani.org links don’t work anymore.
|
By the way, I wouldn't want it to block merging the reactivation, but if anyone is willing or able to help improve our fuzzing setup for xz, please do let us know / feel free to take a look. We really want people to be confident in xz and any/all suggestions are welcome. When this is in, I will setup CIFuzz at least, but may need advice on how to do more than that (or patches ;)). |
This reverts commit ae9dd26. There is no evidence that the LZMA SDK in 7zip was affected at all - the issue in xz was a rogue co-maintainer. I have also fixed the copyright headers, per CI. -- See also the discussion at #11805 (comment). I don't have an association with LZMA SDK, but noticed this when fixing up xz (for which I do have an association).
5 participants
Lasse and I have discussed this and we'd like oss-fuzz working again on the repository as fixes and various cleanups continue to be committed.
The malicious test files have been purged already in tukaani-project/xz@e93e13c.
Obviously will need an ACK from @Larhzu.