Xen project Mailing List

Re: [Xen-devel] Make coverity results public

To: George Dunlap <george.dunlap@xxxxxxxxxx>

From: Stefano Stabellini <sstabellini@xxxxxxxxxx>

Date: Wed, 28 Mar 2018 10:15:36 -0700 (PDT)

Authentication-results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org

Authentication-results: mail.kernel.org; spf=none smtp.mailfrom=sstabellini@xxxxxxxxxx

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Wed, 28 Mar 2018 17:15:51 +0000

Dmarc-filter: OpenDMARC Filter v1.3.2 mail.kernel.org 931672177B

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Wed, 28 Mar 2018, George Dunlap wrote: > On 03/28/2018 02:49 PM, Wei Liu wrote: > > On Wed, Mar 28, 2018 at 02:33:37PM +0100, Roger Pau Monné wrote: > >> Hello, > >> > >> According to the contribution guidelines document [0] the coverity > >> database of issues is private, which makes it hard for new people to > >> see issues. IMO it makes no sense to keep the result private anymore: > >> > >> - They have been audited for plenty of time by different people > >> that currently has access to the database. > >> - Anyone can reproduce the same results by forking Xen on github and > >> sending a build to coverity for analysis AFAICT. > >> > >> On the plus side, having the database open would allow us the > >> following: > >> > >> - Coverity reports could be sent to xen-devel, so anyone could pick > >> and fix new issues. > >> - Newcomers could use coverity in order to find small size tasks to > >> work on. > >> > > > > +1 for making it public. > > > > It used to be the case that people had access manually forward issues to > > new comers. It was not fun for anyone involved. > > > > The way the current policy is written makes it only theoretically > > possible for new comers to access the results (note the signed by PGP > > key in a part of the strong set of web of trust), but is more likely to > > be impossible in practice. > > NB that as I understand the term, "strong set" has a meaning generally > the opposite of what you'd expect in this context: that is, trusting the > "strong set", by including everyone that can be transitively included, > is relatively weak from a security point of view. > > For anyone outside of old-school hacking communities (like Debian, > Linux, &c), this is likely to be a significant barrier to entry. On the > other hand, the more communities insist on this sort of thing, the less > of a barrier it will become. :-) > > In any case, I think the barrier is moot at this point, and should be > taken down. I started a thread recently among committers and the agreement was to open up the results. Andrew volunteered but the one time I reminded him to do it on IRC, Coverity was offline. Please go ahead and open up the results now.

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.