coverity code checker in Extras
Toshio Kuratomi
toshio at tiki-lounge.com
Wed Aug 30 18:38:49 UTC 2006
On Wed, 2006-08-30 at 13:11 -0500, Jason L Tibbitts III wrote:
> >>>>> "TM" == Till Maas <opensource at till.name> writes:
>
> TM> what is it really, what is going to happen if we accept their
> TM> offer? Will every package in Extras be scanned?
>
> I don't think their technology would support that; as far as I know
> they can't do anything with Perl or Python or the like.
>
Yes. I asked them at linuxworld and they seem to be focusing on
traditional compiled languages. If I recall it was C and C++ right now,
Java very soon.
> What I find to be of more concern is what maintainers are expected to
> do with that information. In most cases all we'd be able to do is
> pass the reports upstream, which I suppose would be OK but might be a
> bit much to ask some maintainers (i.e. the ones with 50+ packages) to
> handle. Ideally Coverity would just deal directly with upstream and
> extras wouldn't need to be involved.
We could have a coverity SIG. that helped pass reports upstream. Or we
could see if coverity is open to allowing upstream maintainers direct
access to their reports. Then Extras is a partnership with Coverity --
we are a kind of filter for open source packages that are of interest to
the community and provide some infrastructure to help run their scanner.
They provide the scanner and generate the reports.
If I understand correctly, the coverity proprietary stuff will run on
our servers and the reports will be viewable over the web. No
proprietary packages are needed in the distribution or Extras itself.
Under these terms I think it's generally a good thing. We'd need to
hash out how it fits in infrastructure-wise and how we're going to
distribute the information but those are details we can take care of
later. Finding out how coverity sees us distributing the data and how
much overhead this is going to bring (will it double the time spent
building packages? Will it run on another machine and simply scan the
cvs repository and lookaside cache?) are the only questions that come to
mind.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-extras-list/attachments/20060830/d89c4a1e/attachment.sig>
More information about the fedora-extras-list
mailing list