On Tue, Oct 29, 2013 at 11:10:32AM -0400, David Malcolm wrote:
That in itself might be something we could track using firehose,
perhaps? i.e. have an <info> element that says that the code is
patched downstream by a particular distribution. Then the UI can
render those elements (though which version of the source would you
render in such a situation), and one can run a query showing patches
across multiple distros and packages.
Uhm, so the broader need here is the ability to correlate different
distro-specific versions with one another or, in fact, to the respective
upstream version. We can do that via external databases, but it would
add a pretty heavy infrastructure dependency.
IMO it would be better to pursue one of the following two solutions (or
even both):
- add a new sub-element to <sut> which mentions the *upstream* version;
once we have that we can correlate reports from different distros via
the upstream version (if there are significant differences, that
should come from the distro-specific patching)
- add a new <context> or <excerpt> sub-element to failure/info/etc. that
can be used to add snippets of code around the location the static
analysis tool is pointing at. The idea of this is the same of contexts
for textual diffs: by comparing them we will be able to understand if
we're talking about the same code or, due to patched, significantly
different parts of it.
Of course it's an approximated solution, as the failure might descend
from patches far far away in the code base, but if it works for diff,
I think it'd be good enough for us as well. (And if we also have the
upstream version, we can always lookup the distro-specific patches by
external means and compare those.)
Just my 0.02 EUR,
Cheers.
--
Stefano Zacchiroli . . . . . . . zack(a)upsilon.cc . . . . o . . . o . o
Maître de conférences . . . . .
http://upsilon.cc/zack . . . o . . . o o
Former Debian Project Leader . . @zack on identi.ca . . o o o . . . o .
« the first rule of tautology club is the first rule of tautology club »