[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Make coverity results public
Cc Lars On Wed, Mar 28, 2018 at 10:15:36AM -0700, Stefano Stabellini wrote: > On Wed, 28 Mar 2018, George Dunlap wrote: > > On 03/28/2018 02:49 PM, Wei Liu wrote: > > > On Wed, Mar 28, 2018 at 02:33:37PM +0100, Roger Pau Monné wrote: > > >> Hello, > > >> > > >> According to the contribution guidelines document [0] the coverity > > >> database of issues is private, which makes it hard for new people to > > >> see issues. IMO it makes no sense to keep the result private anymore: > > >> > > >> - They have been audited for plenty of time by different people > > >> that currently has access to the database. > > >> - Anyone can reproduce the same results by forking Xen on github and > > >> sending a build to coverity for analysis AFAICT. > > >> > > >> On the plus side, having the database open would allow us the > > >> following: > > >> > > >> - Coverity reports could be sent to xen-devel, so anyone could pick > > >> and fix new issues. > > >> - Newcomers could use coverity in order to find small size tasks to > > >> work on. > > >> > > > > > > +1 for making it public. > > > > > > It used to be the case that people had access manually forward issues to > > > new comers. It was not fun for anyone involved. > > > > > > The way the current policy is written makes it only theoretically > > > possible for new comers to access the results (note the signed by PGP > > > key in a part of the strong set of web of trust), but is more likely to > > > be impossible in practice. > > > > NB that as I understand the term, "strong set" has a meaning generally > > the opposite of what you'd expect in this context: that is, trusting the > > "strong set", by including everyone that can be transitively included, > > is relatively weak from a security point of view. > > > > For anyone outside of old-school hacking communities (like Debian, > > Linux, &c), this is likely to be a significant barrier to entry. On the > > other hand, the more communities insist on this sort of thing, the less > > of a barrier it will become. :-) > > > > In any case, I think the barrier is moot at this point, and should be > > taken down. > > I started a thread recently among committers and the agreement was to > open up the results. Andrew volunteered but the one time I reminded him > to do it on IRC, Coverity was offline. Please go ahead and open up the > results now. Lars, if you don't object I'm going to open up the results. And I will leave the task to update the contribution guide webpage to you. :-) Wei. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |