[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Make coverity results public



On Wed, 28 Mar 2018, George Dunlap wrote:
> On 03/28/2018 02:49 PM, Wei Liu wrote:
> > On Wed, Mar 28, 2018 at 02:33:37PM +0100, Roger Pau Monné wrote:
> >> Hello,
> >>
> >> According to the contribution guidelines document [0] the coverity
> >> database of issues is private, which makes it hard for new people to
> >> see issues. IMO it makes no sense to keep the result private anymore:
> >>
> >>  - They have been audited for plenty of time by different people
> >>    that currently has access to the database.
> >>  - Anyone can reproduce the same results by forking Xen on github and
> >>    sending a build to coverity for analysis AFAICT.
> >>
> >> On the plus side, having the database open would allow us the
> >> following:
> >>
> >>  - Coverity reports could be sent to xen-devel, so anyone could pick
> >>    and fix new issues.
> >>  - Newcomers could use coverity in order to find small size tasks to
> >>    work on.
> >>
> > 
> > +1 for making it public.
> > 
> > It used to be the case that people had access manually forward issues to
> > new comers. It was not fun for anyone involved.
> > 
> > The way the current policy is written makes it only theoretically
> > possible for new comers to access the results (note the signed by PGP
> > key in a part of the strong set of web of trust), but is more likely to
> > be impossible in practice.
> 
> NB that as I understand the term, "strong set" has a meaning generally
> the opposite of what you'd expect in this context: that is, trusting the
> "strong set", by including everyone that can be transitively included,
> is relatively weak from a security point of view.
> 
> For anyone outside of old-school hacking communities (like Debian,
> Linux, &c), this is likely to be a significant barrier to entry.  On the
> other hand, the more communities insist on this sort of thing, the less
> of a barrier it will become. :-)
> 
> In any case, I think the barrier is moot at this point, and should be
> taken down.

I started a thread recently among committers and the agreement was to
open up the results. Andrew volunteered but the one time I reminded him
to do it on IRC, Coverity was offline. Please go ahead and open up the
results now.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.