[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Make coverity results public
On Wed, 28 Mar 2018, George Dunlap wrote: > On 03/28/2018 02:49 PM, Wei Liu wrote: > > On Wed, Mar 28, 2018 at 02:33:37PM +0100, Roger Pau Monné wrote: > >> Hello, > >> > >> According to the contribution guidelines document [0] the coverity > >> database of issues is private, which makes it hard for new people to > >> see issues. IMO it makes no sense to keep the result private anymore: > >> > >> - They have been audited for plenty of time by different people > >> that currently has access to the database. > >> - Anyone can reproduce the same results by forking Xen on github and > >> sending a build to coverity for analysis AFAICT. > >> > >> On the plus side, having the database open would allow us the > >> following: > >> > >> - Coverity reports could be sent to xen-devel, so anyone could pick > >> and fix new issues. > >> - Newcomers could use coverity in order to find small size tasks to > >> work on. > >> > > > > +1 for making it public. > > > > It used to be the case that people had access manually forward issues to > > new comers. It was not fun for anyone involved. > > > > The way the current policy is written makes it only theoretically > > possible for new comers to access the results (note the signed by PGP > > key in a part of the strong set of web of trust), but is more likely to > > be impossible in practice. > > NB that as I understand the term, "strong set" has a meaning generally > the opposite of what you'd expect in this context: that is, trusting the > "strong set", by including everyone that can be transitively included, > is relatively weak from a security point of view. > > For anyone outside of old-school hacking communities (like Debian, > Linux, &c), this is likely to be a significant barrier to entry. On the > other hand, the more communities insist on this sort of thing, the less > of a barrier it will become. :-) > > In any case, I think the barrier is moot at this point, and should be > taken down. I started a thread recently among committers and the agreement was to open up the results. Andrew volunteered but the one time I reminded him to do it on IRC, Coverity was offline. Please go ahead and open up the results now. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |