PSA: If you are C/C++ developer, use cppcheck
Rahul Sundaram
metherid at gmail.com
Tue Dec 17 22:12:24 UTC 2013
Hi
On Tue, Dec 17, 2013 at 4:34 PM, Tomas Hozza wrote:
> Publishing scan results for all Fedora packages might not be very good
> idea,
> since the static analysis can find issues with possible security impact.
>
Sure and if someone wants to understand that security impact inorder to
exploit they can always use coverity right now to find it out but if this
is really a concern, one could easily gate access to the reports using FAS.
> Also Coverity offers their tool to open-source projects for free [1]. I
> think
> some projects are already using it (at least Squid). So if upstream
> projects
> are interested, they can sign up for free.
>
That is true but it is clear that majority of projects are not doing that
and as a distributor of thousands of projects, I think Fedora can be
provide a good value for upstream and itself by doing in a central place
proactively. Red Hat is already doing it for some packages. Just need to
find a way to increase that coverage and provide the reports in a way
accessible to volunteer Fedora package maintainers.
Rahul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131217/14cf766b/attachment.html>
More information about the devel
mailing list