[Dev] A security researcher has found 40 unknown zero-day vulnerabilities in Tizen

Carsten Haitzler c.haitzler at samsung.com
Thu Apr 6 13:45:12 GMT 2017

On Thu, 6 Apr 2017 08:28:11 -0400
Maxim Khitrov <max at bhsai.org> wrote:

> On Thu, Apr 6, 2017 at 4:12 AM, Carsten Haitzler
> <c.haitzler at samsung.com> wrote:
> > I wish he'd actually filed bugs on http://bugs.tizen.org 8 months
> > ago. Every platform and software has bugs.  
> Yea, but the other platforms generally try to fix those bugs when they
> are reported. I filed this back in August (not security related, but a
> serious issue nonetheless):
> https://bugs.tizen.org/jira/browse/PTAPI-59

Yes. I remember seeing this. Or something similar...

> You guys definitely take bug reports seriously. When that went
> nowhere, I posted about it on this list in December:
> https://lists.tizen.org/pipermail/dev/2016-December/007243.html

Yes. That's when I saw it ... I responded. :) So did one of the
developers who works on that code.

Although this isn't a security issue, it's an annoying bug nevertheless,
but you did get a response to your mail... :) You did file a bug and
that's a good thing. At least the response to the mail was "It'll be
fixed". :)

> Still zero progress. Each software update for the Gear S2 and S3
> changed how sensor timestamps work, so we had to basically ignore them
> to get our app to work. A new update was just released for the S3, so
> I'm eager to find out what will break this time. This, of course, also
> makes us question whether the sensor data is at all reliable. I didn't
> bother reporting bugs in the Bluetooth framework because what's the
> point? Then there is the problem of inaccurate documentation on
> developer.tizen.org, which I won't even go into.

Now here is where I'll have to explain. Products take Tizen and modify
it and then ship a product and whatever group does that is in charge.
(much like Android etc.) and the platform maintainers have limited
influence or control over this. If it's a platform issue then it can be
fixed on the platform side, but the product groups or companies shipping
the products are in charge of what you end up getting. They are
completely different teams and there is no single coherent "Tizen
leader" who tells everyone what to do with Tizen, how to do it and when.
We can fix bugs in the platform but can't guarantee if an update will
ship for devices or if it will be changed by the time it ships for a
device. That's how all of this is structured. I wish I was able to
change this.

> Anyone who has looked at review.tizen.org/git, and congratulations if
> you actually managed to find what you're looking for there, pretty
> much comes to the same conclusion: Tizen is a mess with really bad
> code all around. I definitely won't touch it again once my current
> project is over. You might want to focus on that first before
> complaining that people aren't filing bug reports.

You are absolutely right. Gerrit is really hard to find what you want.
There are often multiple instances of the same code base and you don't
know which one is active. There generally isn't a nice "README.md" like
front page to tell you what that git repo is for etc. and you need to
dig a lot and have a lot of knowledge. I know that filing a bug
isn't exactly nice - the project list isn't often too useful. There is
a lot to improve. I might have structured it differently. I sure think
that Tizen platform developers need to be more accessible and open to
the public.

More information about the Dev mailing list