[Geany-Devel] using Coverity to audit the code base
landronimirc at xxxxx
Sat Mar 7 21:45:23 UTC 2015
On Sat, Mar 7, 2015 at 10:30 PM, Matthew Brush <mbrush at codebrainz.ca> wrote:
> On 15-03-07 12:59 PM, Liviu Andronic wrote:
>> On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling
>> <lists.ban at herbesfolles.org> wrote:
>>> Le 12/02/2015 22:21, Liviu Andronic a écrit :
>>>> Dear all,
>>>> Recently I've discovered Coverity, a code checking tool, and went
>>>> ahead and submitted the Geany code for static analysis by this
>>> Quoting Coverity's Scan User Agreement:
>>> "You will not publish any findings regarding or resulting from use of
>>> the Service or the Software;"
>>> IANAL, but this looks like we couldn't discuss an issue it found on e.g.
>>> this mailing list. And your report about what it did find in Geany's
>>> code is already a violation of that agreement.
>>> More, just for the fun:
>>> "“Confidential Information” means: […] (d) any results of operation from
>>> use of the Software or the Service;"
>>> "Without limiting the generality of the foregoing, You agree that You
>>> will not post […] the results of the Service […] on any network that is
>>> accessible by anyone."
>>> And this is the Scan User Agreement, I couldn't even find the Scan Terms
>>> of Use (at least not without trying to actually register myself).
>>> So… really?
>>> PS: Of course one will tell me that "in practice" they won't come after
>>> us for discussing a fix, but if it really is against the UA I'd rather
>>> not try and see what happens.
>> I haven't gotten any reply to my request for clarification. But I've
>> also discussed this issue with LyX devels.
>> The opinion there is that it's common sense to simply ignore the
>> overly restrictive aspects of Coverity's User Agreement. It's highly
>> unlikely that they'll come chasing for discussing a bug on the ML, and
>> if they do, this shall be incredibly negative PR for them given all
>> the efforts that they make to attract the open-source community. Given
>> that very big projects use Coverity regularly, like LibreOffice or the
>> Linux Kernel, perhaps it's not worth stressing too much about this.
>> Of course Geany maintainers are free to choose their stance on this
>> issue. And if you're unhappy with the current situation, I could as
>> well try to ask them to remove Geany from their service. Another way
>> would be, for instance, to set up a dedicated, private ML (e.g.
>> geany-dev-coverity) to which only members with access to Coverity can
>> post/read. This should avoid most of the nagging related to their UA.
> It's unclear what advantage Coverity has over just running Clang Static
> Analyzer and their various sanitizers. Is it just for the web UI or
People say it's "powerful"... I guess it's capable of detecting issues
other tools don't. It also helps devels quite a bit understand the
underlying issue and how to address it.
>From the other projects that are on Coverity, I hear nice things
overall from the devels, namely that it's "useful". In other
instances, it mainly identifies "trivial" coding issues (which,
hopefully, points to the coding base being robust).
> Matthew Brush
> Devel mailing list
> Devel at lists.geany.org
Do you think you know what math is?
Or what it means to be intelligent?
More information about the Devel