On 15-03-07 12:59 PM, Liviu Andronic wrote:
On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling lists.ban@herbesfolles.org wrote:
Hey,
Le 12/02/2015 22:21, Liviu Andronic a écrit :
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement.
More, just for the fun:
"“Confidential Information” means: […] (d) any results of operation from use of the Software or the Service;"
"Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone."
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
So… really?
Regards, Colomban
PS: Of course one will tell me that "in practice" they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens.
I haven't gotten any reply to my request for clarification. But I've also discussed this issue with LyX devels.
The opinion there is that it's common sense to simply ignore the overly restrictive aspects of Coverity's User Agreement. It's highly unlikely that they'll come chasing for discussing a bug on the ML, and if they do, this shall be incredibly negative PR for them given all the efforts that they make to attract the open-source community. Given that very big projects use Coverity regularly, like LibreOffice or the Linux Kernel, perhaps it's not worth stressing too much about this.
Of course Geany maintainers are free to choose their stance on this issue. And if you're unhappy with the current situation, I could as well try to ask them to remove Geany from their service. Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA.
Hi,
It's unclear what advantage Coverity has over just running Clang Static Analyzer and their various sanitizers. Is it just for the web UI or something?
Cheers, Matthew Brush