On Sat, Mar 7, 2015 at 10:30 PM, Matthew Brush mbrush@codebrainz.ca wrote:
On 15-03-07 12:59 PM, Liviu Andronic wrote:
On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling lists.ban@herbesfolles.org wrote:
Hey,
Le 12/02/2015 22:21, Liviu Andronic a écrit :
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388
Quoting Coverity's Scan User Agreement:
"You will not publish any findings regarding or resulting from use of the Service or the Software;"
IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement.
More, just for the fun:
"“Confidential Information” means: […] (d) any results of operation from use of the Software or the Service;"
"Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone."
And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself).
So… really?
Regards, Colomban
PS: Of course one will tell me that "in practice" they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens.
I haven't gotten any reply to my request for clarification. But I've also discussed this issue with LyX devels.
The opinion there is that it's common sense to simply ignore the overly restrictive aspects of Coverity's User Agreement. It's highly unlikely that they'll come chasing for discussing a bug on the ML, and if they do, this shall be incredibly negative PR for them given all the efforts that they make to attract the open-source community. Given that very big projects use Coverity regularly, like LibreOffice or the Linux Kernel, perhaps it's not worth stressing too much about this.
Of course Geany maintainers are free to choose their stance on this issue. And if you're unhappy with the current situation, I could as well try to ask them to remove Geany from their service. Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA.
Hi,
It's unclear what advantage Coverity has over just running Clang Static Analyzer and their various sanitizers. Is it just for the web UI or something?
People say it's "powerful"... I guess it's capable of detecting issues other tools don't. It also helps devels quite a bit understand the underlying issue and how to address it.
From the other projects that are on Coverity, I hear nice things
overall from the devels, namely that it's "useful". In other instances, it mainly identifies "trivial" coding issues (which, hopefully, points to the coding base being robust).
Cheers, Liviu
Cheers, Matthew Brush
Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel