[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Make coverity results public

On Wed, Mar 28, 2018 at 06:18:40PM +0100, Wei Liu wrote:
> Cc Lars
> 
> On Wed, Mar 28, 2018 at 10:15:36AM -0700, Stefano Stabellini wrote:
> > On Wed, 28 Mar 2018, George Dunlap wrote:
> > > On 03/28/2018 02:49 PM, Wei Liu wrote:
> > > > On Wed, Mar 28, 2018 at 02:33:37PM +0100, Roger Pau Monné wrote:
> > > >> Hello,
> > > >>
> > > >> According to the contribution guidelines document [0] the coverity
> > > >> database of issues is private, which makes it hard for new people to
> > > >> see issues. IMO it makes no sense to keep the result private anymore:
> > > >>
> > > >>  - They have been audited for plenty of time by different people
> > > >>    that currently has access to the database.
> > > >>  - Anyone can reproduce the same results by forking Xen on github and
> > > >>    sending a build to coverity for analysis AFAICT.
> > > >>
> > > >> On the plus side, having the database open would allow us the
> > > >> following:
> > > >>
> > > >>  - Coverity reports could be sent to xen-devel, so anyone could pick
> > > >>    and fix new issues.
> > > >>  - Newcomers could use coverity in order to find small size tasks to
> > > >>    work on.
> > > >>
> > > > 
> > > > +1 for making it public.
> > > > 
> > > > It used to be the case that people had access manually forward issues to
> > > > new comers. It was not fun for anyone involved.
> > > > 
> > > > The way the current policy is written makes it only theoretically
> > > > possible for new comers to access the results (note the signed by PGP
> > > > key in a part of the strong set of web of trust), but is more likely to
> > > > be impossible in practice.
> > > 
> > > NB that as I understand the term, "strong set" has a meaning generally
> > > the opposite of what you'd expect in this context: that is, trusting the
> > > "strong set", by including everyone that can be transitively included,
> > > is relatively weak from a security point of view.
> > > 
> > > For anyone outside of old-school hacking communities (like Debian,
> > > Linux, &c), this is likely to be a significant barrier to entry.  On the
> > > other hand, the more communities insist on this sort of thing, the less
> > > of a barrier it will become. :-)
> > > 
> > > In any case, I think the barrier is moot at this point, and should be
> > > taken down.
> > 
> > I started a thread recently among committers and the agreement was to
> > open up the results. Andrew volunteered but the one time I reminded him
> > to do it on IRC, Coverity was offline. Please go ahead and open up the
> > results now.
> 
> Lars, if you don't object I'm going to open up the results. And I will
> leave the task to update the contribution guide webpage to you. :-)

I have changed the setting to "Project summary and defects are viewable
in read-only mode by all users".

Wei.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.