[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Make coverity results public
On Wed, Mar 28, 2018 at 06:18:40PM +0100, Wei Liu wrote: > Cc Lars > > On Wed, Mar 28, 2018 at 10:15:36AM -0700, Stefano Stabellini wrote: > > On Wed, 28 Mar 2018, George Dunlap wrote: > > > On 03/28/2018 02:49 PM, Wei Liu wrote: > > > > On Wed, Mar 28, 2018 at 02:33:37PM +0100, Roger Pau Monné wrote: > > > >> Hello, > > > >> > > > >> According to the contribution guidelines document [0] the coverity > > > >> database of issues is private, which makes it hard for new people to > > > >> see issues. IMO it makes no sense to keep the result private anymore: > > > >> > > > >> - They have been audited for plenty of time by different people > > > >> that currently has access to the database. > > > >> - Anyone can reproduce the same results by forking Xen on github and > > > >> sending a build to coverity for analysis AFAICT. > > > >> > > > >> On the plus side, having the database open would allow us the > > > >> following: > > > >> > > > >> - Coverity reports could be sent to xen-devel, so anyone could pick > > > >> and fix new issues. > > > >> - Newcomers could use coverity in order to find small size tasks to > > > >> work on. > > > >> > > > > > > > > +1 for making it public. > > > > > > > > It used to be the case that people had access manually forward issues to > > > > new comers. It was not fun for anyone involved. > > > > > > > > The way the current policy is written makes it only theoretically > > > > possible for new comers to access the results (note the signed by PGP > > > > key in a part of the strong set of web of trust), but is more likely to > > > > be impossible in practice. > > > > > > NB that as I understand the term, "strong set" has a meaning generally > > > the opposite of what you'd expect in this context: that is, trusting the > > > "strong set", by including everyone that can be transitively included, > > > is relatively weak from a security point of view. > > > > > > For anyone outside of old-school hacking communities (like Debian, > > > Linux, &c), this is likely to be a significant barrier to entry. On the > > > other hand, the more communities insist on this sort of thing, the less > > > of a barrier it will become. :-) > > > > > > In any case, I think the barrier is moot at this point, and should be > > > taken down. > > > > I started a thread recently among committers and the agreement was to > > open up the results. Andrew volunteered but the one time I reminded him > > to do it on IRC, Coverity was offline. Please go ahead and open up the > > results now. > > Lars, if you don't object I'm going to open up the results. And I will > leave the task to update the contribution guide webpage to you. :-) I have changed the setting to "Project summary and defects are viewable in read-only mode by all users". Wei. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |