[Geany-Devel] using Coverity to audit the code base
mbrush at xxxxx
Sat Mar 7 21:30:15 UTC 2015
On 15-03-07 12:59 PM, Liviu Andronic wrote:
> On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling
> <lists.ban at herbesfolles.org> wrote:
>> Le 12/02/2015 22:21, Liviu Andronic a écrit :
>>> Dear all,
>>> Recently I've discovered Coverity, a code checking tool, and went
>>> ahead and submitted the Geany code for static analysis by this
>> Quoting Coverity's Scan User Agreement:
>> "You will not publish any findings regarding or resulting from use of
>> the Service or the Software;"
>> IANAL, but this looks like we couldn't discuss an issue it found on e.g.
>> this mailing list. And your report about what it did find in Geany's
>> code is already a violation of that agreement.
>> More, just for the fun:
>> "“Confidential Information” means: […] (d) any results of operation from
>> use of the Software or the Service;"
>> "Without limiting the generality of the foregoing, You agree that You
>> will not post […] the results of the Service […] on any network that is
>> accessible by anyone."
>> And this is the Scan User Agreement, I couldn't even find the Scan Terms
>> of Use (at least not without trying to actually register myself).
>> So… really?
>> PS: Of course one will tell me that "in practice" they won't come after
>> us for discussing a fix, but if it really is against the UA I'd rather
>> not try and see what happens.
> I haven't gotten any reply to my request for clarification. But I've
> also discussed this issue with LyX devels.
> The opinion there is that it's common sense to simply ignore the
> overly restrictive aspects of Coverity's User Agreement. It's highly
> unlikely that they'll come chasing for discussing a bug on the ML, and
> if they do, this shall be incredibly negative PR for them given all
> the efforts that they make to attract the open-source community. Given
> that very big projects use Coverity regularly, like LibreOffice or the
> Linux Kernel, perhaps it's not worth stressing too much about this.
> Of course Geany maintainers are free to choose their stance on this
> issue. And if you're unhappy with the current situation, I could as
> well try to ask them to remove Geany from their service. Another way
> would be, for instance, to set up a dedicated, private ML (e.g.
> geany-dev-coverity) to which only members with access to Coverity can
> post/read. This should avoid most of the nagging related to their UA.
It's unclear what advantage Coverity has over just running Clang Static
Analyzer and their various sanitizers. Is it just for the web UI or
More information about the Devel