[Geany-Devel] using Coverity to audit the code base

Liviu Andronic landronimirc at xxxxx
Sat Mar 7 21:45:23 UTC 2015


On Sat, Mar 7, 2015 at 10:30 PM, Matthew Brush <mbrush at codebrainz.ca> wrote:
> On 15-03-07 12:59 PM, Liviu Andronic wrote:
>>
>> On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling
>> <lists.ban at herbesfolles.org> wrote:
>>>
>>> Hey,
>>>
>>> Le 12/02/2015 22:21, Liviu Andronic a écrit :
>>>>
>>>> Dear all,
>>>> Recently I've discovered Coverity, a code checking tool, and went
>>>> ahead and submitted the Geany code for static analysis by this
>>>> service:
>>>> https://scan.coverity.com/projects/1388
>>>
>>>
>>> Quoting Coverity's Scan User Agreement:
>>>
>>> "You will not publish any findings regarding or resulting from use of
>>> the Service or the Software;"
>>>
>>> IANAL, but this looks like we couldn't discuss an issue it found on e.g.
>>> this mailing list.  And your report about what it did find in Geany's
>>> code is already a violation of that agreement.
>>>
>>> More, just for the fun:
>>>
>>> "“Confidential Information” means: […] (d) any results of operation from
>>> use of the Software or the Service;"
>>>
>>> "Without limiting the generality of the foregoing, You agree that You
>>> will not post […] the results of the Service […] on any network that is
>>> accessible by anyone."
>>>
>>> And this is the Scan User Agreement, I couldn't even find the Scan Terms
>>> of Use (at least not without trying to actually register myself).
>>>
>>> So… really?
>>>
>>> Regards,
>>> Colomban
>>>
>>>
>>> PS: Of course one will tell me that "in practice" they won't come after
>>> us for discussing a fix, but if it really is against the UA I'd rather
>>> not try and see what happens.
>>>
>> I haven't gotten any reply to my request for clarification. But I've
>> also discussed this issue with LyX devels.
>>
>> The opinion there is that it's common sense to simply ignore the
>> overly restrictive aspects of Coverity's User Agreement. It's highly
>> unlikely that they'll come chasing for discussing a bug on the ML, and
>> if they do, this shall be incredibly negative PR for them given all
>> the efforts that they make to attract the open-source community. Given
>> that very big projects use Coverity regularly, like LibreOffice or the
>> Linux Kernel, perhaps it's not worth stressing too much about this.
>>
>> Of course Geany maintainers are free to choose their stance on this
>> issue. And if you're unhappy with the current situation, I could as
>> well try to ask them to remove Geany from their service. Another way
>> would be, for instance, to set up a dedicated, private ML (e.g.
>> geany-dev-coverity) to which only members with access to Coverity can
>> post/read. This should avoid most of the nagging related to their UA.
>>
>
> Hi,
>
> It's unclear what advantage Coverity has over just running Clang Static
> Analyzer and their various sanitizers. Is it just for the web UI or
> something?
>
People say it's "powerful"... I guess it's capable of detecting issues
other tools don't. It also helps devels quite a bit understand the
underlying issue and how to address it.

>From the other projects that are on Coverity, I hear nice things
overall from the devels, namely that it's "useful". In other
instances, it mainly identifies "trivial" coding issues (which,
hopefully, points to the coding base being robust).

Cheers,
Liviu


> Cheers,
> Matthew Brush
>
>
> _______________________________________________
> Devel mailing list
> Devel at lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/devel



-- 
Do you think you know what math is?
http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02
Or what it means to be intelligent?
http://www.ideasroadshow.com/issues/john-duncan-2013-08-30
Think again:
http://www.ideasroadshow.com/library


More information about the Devel mailing list