[Fedora-infrastructure-list] Re: coverity code checker in Extras
Josh Boyer
jwboyer at jdub.homelinux.org
Thu Aug 31 02:41:16 UTC 2006
On Wed, 2006-08-30 at 18:10 -0400, Warren Togami wrote:
> We have been trying to keep Fedora's Infrastructure completely FOSS for
> the purpose of making it reproducible and easy to contribute
> improvements. This is a noble goal.
Which infrastructure? Extras or Core. Because if you mean Fedora in
general, then I'm sorry but that's a bit off. The Core buildsys is not
open sourced.
>
> Comparing Coverity to Bitkeeper is not a fair comparison because Fedora
> and any projects that reproduce it would not depend on it. Coverity
> would in part protect Fedora, but this really is a tool for improving
> upstream projects, and Fedora would just make it easier to funnel
> analysis and reports.
Yes.
> We have long wanted to implement post-build check reports in order to
> improve package quality in an automated fashion. Coverity could just be
> another post-build check in that list.
Yes.
> On the other hand, we may want to implement Coverity in a different way
> than post-check. The output needs to be kept private to the individual
> package owners and possibly security group people so security embargoes
> can be handled in a responsible way in cooperation with upstream
> projects. We also want to avoid slowing down the build, sign and push
> process any further.
>
> My Proposal
> ==========
> A good compromise would be for Coverity to be run outside of the scope
> of the Fedora Project as just a Red Hat thing. It would run
> asynchronously on the binary RPMS in pushed repositories. If Fedora
> contributors are interested in helping to better automate this they are
> free to do so.
Erm... doesn't coverity need _source_?
>
> This way Fedora and upstream benefits from Coverity analysis, and Fedora
> remains ideologically pure.
*cough* Core buildsys *cough*
josh
More information about the Fedora-infrastructure-list
mailing list