[Geany-Devel] using Coverity to audit the code base

Sat Mar 7 20:59:53 UTC 2015

On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling
<lists.ban at herbesfolles.org> wrote:
> Hey,
>
> Le 12/02/2015 22:21, Liviu Andronic a écrit :
>> Dear all,
>> Recently I've discovered Coverity, a code checking tool, and went
>> ahead and submitted the Geany code for static analysis by this
>> service:
>> https://scan.coverity.com/projects/1388
>
> Quoting Coverity's Scan User Agreement:
>
> "You will not publish any findings regarding or resulting from use of
> the Service or the Software;"
>
> IANAL, but this looks like we couldn't discuss an issue it found on e.g.
> this mailing list.  And your report about what it did find in Geany's
> code is already a violation of that agreement.
>
> More, just for the fun:
>
> "“Confidential Information” means: […] (d) any results of operation from
> use of the Software or the Service;"
>
> "Without limiting the generality of the foregoing, You agree that You
> will not post […] the results of the Service […] on any network that is
> accessible by anyone."
>
> And this is the Scan User Agreement, I couldn't even find the Scan Terms
> of Use (at least not without trying to actually register myself).
>
> So… really?
>
> Regards,
> Colomban
>
>
> PS: Of course one will tell me that "in practice" they won't come after
> us for discussing a fix, but if it really is against the UA I'd rather
> not try and see what happens.
>
I haven't gotten any reply to my request for clarification. But I've
also discussed this issue with LyX devels.

The opinion there is that it's common sense to simply ignore the
overly restrictive aspects of Coverity's User Agreement. It's highly
unlikely that they'll come chasing for discussing a bug on the ML, and
if they do, this shall be incredibly negative PR for them given all
the efforts that they make to attract the open-source community. Given
that very big projects use Coverity regularly, like LibreOffice or the
Linux Kernel, perhaps it's not worth stressing too much about this.

Of course Geany maintainers are free to choose their stance on this
issue. And if you're unhappy with the current situation, I could as
well try to ask them to remove Geany from their service. Another way
would be, for instance, to set up a dedicated, private ML (e.g.
geany-dev-coverity) to which only members with access to Coverity can
post/read. This should avoid most of the nagging related to their UA.

Cheers,
Liviu

> _______________________________________________
> Devel mailing list
> Devel at lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/devel

-- 
Do you think you know what math is?
http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02
Or what it means to be intelligent?
http://www.ideasroadshow.com/issues/john-duncan-2013-08-30
Think again:
http://www.ideasroadshow.com/library