[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: coverity code checker in Extras



On Wed, 2006-08-30 at 13:11 -0500, Jason L Tibbitts III wrote:
> >>>>> "TM" == Till Maas <opensource till name> writes:
> 
> TM> what is it really, what is going to happen if we accept their
> TM> offer? Will every package in Extras be scanned?
> 
> I don't think their technology would support that; as far as I know
> they can't do anything with Perl or Python or the like.
> 
Yes.  I asked them at linuxworld and they seem to be focusing on
traditional compiled languages.  If I recall it was C and C++ right now,
Java very soon.

> What I find to be of more concern is what maintainers are expected to
> do with that information.  In most cases all we'd be able to do is
> pass the reports upstream, which I suppose would be OK but might be a
> bit much to ask some maintainers (i.e. the ones with 50+ packages) to
> handle.  Ideally Coverity would just deal directly with upstream and
> extras wouldn't need to be involved.

We could have a coverity SIG. that helped pass reports upstream.  Or we
could see if coverity is open to allowing upstream maintainers direct
access to their reports.  Then Extras is a partnership with Coverity --
we are a kind of filter for open source packages that are of interest to
the community and provide some infrastructure to help run their scanner.
They provide the scanner and generate the reports.

If I understand correctly, the coverity proprietary stuff will run on
our servers and the reports will be viewable over the web.  No
proprietary packages are needed in the distribution or Extras itself.
Under these terms I think it's generally a good thing.  We'd need to
hash out how it fits in infrastructure-wise and how we're going to
distribute the information but those are details we can take care of
later.  Finding out how coverity sees us distributing the data and how
much overhead this is going to bring (will it double the time spent
building packages?  Will it run on another machine and simply scan the
cvs repository and lookaside cache?) are the only questions that come to
mind.

-Toshio

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]