No this isn't a fork. The post linked to zmanda, but you can find the old logo and a reference to 2.5.0 at http://www.amanda.org/ as usual. (I had no idea anyone actually liked that logo. Ten minutes with an image editor ten years ago, and it's still up there)
Amanda, as always, has been developed by whoever was willing to pick up the ball and run with it. Right now Zmanda is taking an active interest and contributing heavily back to the open source program. This is of course A Good Thing.
* The Amanda developers (as far as I know) were not contacted that Amanda was on the list before it became news. But, Coverity _was_ quick and friendly about giving Amanda developers full access to the bug list for Amanda when we registered.
* Their checks do go beyond simple static checking; they are looking at possible values of index variables at different points in the code to assess potential overflows, and they are tracking malloc/free pretty well. You can find papers about their techniques on Dawson Engler's page at Stanford. There's no doubt that they are holding the clue stick here.
For Amanda specifically, the majority, 76 out of 108 issues found, were malloc/free mismatches. In addition, there were 9 dead-code determinations, 16 potential null pointer dereferences, 3 cases of a function returning -1 into an length variable that is used without checking, 1 uninitialized variable, and 3 array overflows cases, for 108 problems in ~89kloc, or ~1.2/kloc.
Of the 3 array overflow reports, 1 was a false positive, and 2 were cases inside the report generator where the dump level read from the logs was not range checked before per-level statistics were updated. So a corrupted log could cause the report to fail, but no buffer-overflow security holes.
In summary, I'd say the results are quite useful. Thanks to Coverity and our Homeland Security Big Brothers for funding these scans.
Slashdot Mirror
No this isn't a fork. The post linked to zmanda, but you can find the old logo and a reference to 2.5.0 at http://www.amanda.org/ as usual. (I had no idea anyone actually liked that logo. Ten minutes with an image editor ten years ago, and it's still up there) Amanda, as always, has been developed by whoever was willing to pick up the ball and run with it. Right now Zmanda is taking an active interest and contributing heavily back to the open source program. This is of course A Good Thing.
To address several comments I've seen:
* The Amanda developers (as far as I know) were not contacted that Amanda was on the list before it became news. But, Coverity _was_ quick and friendly about giving Amanda developers full access to the bug list for Amanda when we registered.
* Their checks do go beyond simple static checking; they are looking at possible values of index variables at different points in the code to assess potential overflows, and they are tracking malloc/free pretty well. You can find papers about their techniques on Dawson Engler's page at Stanford. There's no doubt that they are holding the clue stick here.
For Amanda specifically, the majority, 76 out of 108 issues found, were malloc/free mismatches. In addition, there were 9 dead-code determinations, 16 potential null pointer dereferences, 3 cases of a function returning -1 into an length variable that is used without checking, 1 uninitialized variable, and 3 array overflows cases, for 108 problems in ~89kloc, or ~1.2/kloc.
Of the 3 array overflow reports, 1 was a false positive, and 2 were cases inside the report generator where the dump level read from the logs was not range checked before per-level statistics were updated. So a corrupted log could cause the report to fail, but no buffer-overflow security holes.
In summary, I'd say the results are quite useful. Thanks to Coverity and our Homeland Security Big Brothers for funding these scans.
James da Silva