Dealing with static code analysis in Fedora

[Alek Paunov]

On 11.12.2012 23:52, David Malcolm wrote:
> We'd be able to run all of the code in Fedora through static analysis
> tools, and slurp the results into the database

Dave, I really do not know what to say first :-). The subject is so 
important and there are so many aspects and application fields - IMHO, 
the topic is the most important one in the devel list lately (and is in 
_direct_ relation with the all other _hot_ topics - ABI stability, 
upgradeability, collections, reliable/automated migrations, packagers 
productivity, rawhide, etc.)

I hope this thread will be long and fruitful discussion with the final 
effect to change Fedora to something that all motivated devs in the list 
expect it to become. Just few preliminary questions about your insights 
in the future:

1) What about dumping the GCC structs to the DB during the OS/Repos 
processing from the same beginning (means something more powerful than 
dxr.mozilla.org, and possibility to engage various static analysis 
people to the project, like Masaryk University team as Michal reported, 
without the locking to concrete compiler technology/encoding)

2) Clang world enrolled the (suspicious) term "Compilation database" as 
the safe sequence and arguments of the compiler invocations for a 
package build. What is your opinion for abstracting build systems to the 
DB in the same way in Fedora (based on the GCC plugin)?

3) As I said already, IMHO, this thread is the most practically 
important topic in Fedora. What about SIG/Team? I think base of 8-10 
high experienced part-time contributors will be enough for your spec and 
1)-like enhancements.

Kind Regards,
Alek

P.S. Fedora infrastructure resources are mandatory for the final Fedora 
repos cooking, but I think that the community is able to provide less 
secure, but much more in volume resources for the analysis workers 
(Fedora can just supply small enslaving script for the dedicated VM)