[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: coverity code checker in Extras



We have been trying to keep Fedora's Infrastructure completely FOSS for the purpose of making it reproducible and easy to contribute improvements. This is a noble goal.

Comparing Coverity to Bitkeeper is not a fair comparison because Fedora and any projects that reproduce it would not depend on it. Coverity would in part protect Fedora, but this really is a tool for improving upstream projects, and Fedora would just make it easier to funnel analysis and reports.

We have long wanted to implement post-build check reports in order to improve package quality in an automated fashion. Coverity could just be another post-build check in that list.

On the other hand, we may want to implement Coverity in a different way than post-check. The output needs to be kept private to the individual package owners and possibly security group people so security embargoes can be handled in a responsible way in cooperation with upstream projects. We also want to avoid slowing down the build, sign and push process any further.

My Proposal
==========
A good compromise would be for Coverity to be run outside of the scope of the Fedora Project as just a Red Hat thing. It would run asynchronously on the binary RPMS in pushed repositories. If Fedora contributors are interested in helping to better automate this they are free to do so.

This way Fedora and upstream benefits from Coverity analysis, and Fedora remains ideologically pure.

Thoughts?

Warren Togami
wtogami redhat com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]