Re: Coverity Open Source Defect Scan of Gnome

[Kjartan Maraas <kmaraas broadpark no>]

søn, 05,.03.2006 kl. 21.35 -0800, skrev Ben Chelf: 
> Hello Gnome Developers,
> 
>    I'm the CTO of Coverity, Inc., a company that does static source code 
> analysis to look for defects in code. You may have heard of us or of our 
> technology from its days at Stanford (the "Stanford Checker"). The 
> reason I'm writing is because we have set up a framework internally to 
> continually scan open source projects and provide the results of our 
> analysis back to the developers of those projects. Gnome is one of the 
> 32 projects currently scanned at:
> 
> http://scan.coverity.com
> 
This is very nice indeed.

>    My belief is that we (Coverity) must reach out to the developers of 
> these packages (you) in order to make progress in actually fixing the 
> defects that we happen to find, so this is my first step in that 
> mission. Of course, I think Coverity technology is great, but I want to 
> hear what you think and that's why I worked with folks at Coverity to 
> put this infrastructure in place. The process is simple -- it checks out 
> your code each night from your repository and scans it so you can always 
> see the latest results.
> 
I'm very interested in gaining access to these reports. I'm maintaining
a couple of the core modules and I'm also a member of the release team
and bug squad along with a few other parts of the GNOME project.

>    Right now, we're guarding access to the actual defects that we report 
> for a couple of reasons: (1) We think that you, as developers of Gnome, 
> should have the chance to look at the defects we find to patch them 
> before random other folks get to see what we found and (2) From a 
> support perspective, we want to make sure that we have the appropriate 
> time to engage with those who want to use the results to fix the code. 
> Because of this second point, I'd ask that if you are interested in 
> really digging into the results a bit further for your project, please 
> have a couple of core maintainers (or group nominated individuals) reach 
> out to me to request access. As this is a new process for us and still 
> involves a small number of packages, I want to make sure that I 
> personally can be involved with the activity that is generated from this 

I've been doing a lot of cleanup work across all the core modules in
GNOME using various compilers and checkers like sparse in addition to
valgrind etc. And I'm definitely looking forward to having access to
another source to pinpoint more problems.

>    So I'm basically asking for people who want to play around with some 
> cool new technology to help make source code better. If this interests 
> you, please feel free to reach out to me directly. And of course, if 
> there are other packages you care about that aren't currently on the 
> list, I want to know about those too.
> 
I'll let you know if I get access to the list :-)

>    If this is the wrong list, my sincerest apologies and please let me 
> know where would be a more appropriate forum for this type of message.
> 
You would probably reach more developers on desktop-devel-list gnome org
since this list sees very little traffic these days.

> Many thanks for reading this far...
> 
Many thanks for setting this up. We should be using every tool available
to us to try and improve the code and I'm really interested in seeing
how the Coverity checker can help us do that.

Cheers
Kjartan