[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Make coverity results public

Cc Lars

On Wed, Mar 28, 2018 at 10:15:36AM -0700, Stefano Stabellini wrote:
> On Wed, 28 Mar 2018, George Dunlap wrote:
> > On 03/28/2018 02:49 PM, Wei Liu wrote:
> > > On Wed, Mar 28, 2018 at 02:33:37PM +0100, Roger Pau Monné wrote:
> > >> Hello,
> > >>
> > >> According to the contribution guidelines document [0] the coverity
> > >> database of issues is private, which makes it hard for new people to
> > >> see issues. IMO it makes no sense to keep the result private anymore:
> > >>
> > >>  - They have been audited for plenty of time by different people
> > >>    that currently has access to the database.
> > >>  - Anyone can reproduce the same results by forking Xen on github and
> > >>    sending a build to coverity for analysis AFAICT.
> > >>
> > >> On the plus side, having the database open would allow us the
> > >> following:
> > >>
> > >>  - Coverity reports could be sent to xen-devel, so anyone could pick
> > >>    and fix new issues.
> > >>  - Newcomers could use coverity in order to find small size tasks to
> > >>    work on.
> > >>
> > > 
> > > +1 for making it public.
> > > 
> > > It used to be the case that people had access manually forward issues to
> > > new comers. It was not fun for anyone involved.
> > > 
> > > The way the current policy is written makes it only theoretically
> > > possible for new comers to access the results (note the signed by PGP
> > > key in a part of the strong set of web of trust), but is more likely to
> > > be impossible in practice.
> > 
> > NB that as I understand the term, "strong set" has a meaning generally
> > the opposite of what you'd expect in this context: that is, trusting the
> > "strong set", by including everyone that can be transitively included,
> > is relatively weak from a security point of view.
> > 
> > For anyone outside of old-school hacking communities (like Debian,
> > Linux, &c), this is likely to be a significant barrier to entry.  On the
> > other hand, the more communities insist on this sort of thing, the less
> > of a barrier it will become. :-)
> > 
> > In any case, I think the barrier is moot at this point, and should be
> > taken down.
> 
> I started a thread recently among committers and the agreement was to
> open up the results. Andrew volunteered but the one time I reminded him
> to do it on IRC, Coverity was offline. Please go ahead and open up the
> results now.

Lars, if you don't object I'm going to open up the results. And I will
leave the task to update the contribution guide webpage to you. :-)

Wei.


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.