[Fedora-infrastructure-list] Re: coverity code checker in Extras

[Josh Boyer]

On Wed, 2006-08-30 at 18:10 -0400, Warren Togami wrote:
> We have been trying to keep Fedora's Infrastructure completely FOSS for 
> the purpose of making it reproducible and easy to contribute 
> improvements.  This is a noble goal.

Which infrastructure?  Extras or Core.  Because if you mean Fedora in
general, then I'm sorry but that's a bit off.  The Core buildsys is not
open sourced.

> 
> Comparing Coverity to Bitkeeper is not a fair comparison because Fedora 
> and any projects that reproduce it would not depend on it.  Coverity 
> would in part protect Fedora, but this really is a tool for improving 
> upstream projects, and Fedora would just make it easier to funnel 
> analysis and reports.

Yes.

> We have long wanted to implement post-build check reports in order to 
> improve package quality in an automated fashion.  Coverity could just be 
> another post-build check in that list.

Yes.

> On the other hand, we may want to implement Coverity in a different way 
> than post-check.  The output needs to be kept private to the individual 
> package owners and possibly security group people so security embargoes 
> can be handled in a responsible way in cooperation with upstream 
> projects.  We also want to avoid slowing down the build, sign and push 
> process any further.
> 
> My Proposal
> ==========
> A good compromise would be for Coverity to be run outside of the scope 
> of the Fedora Project as just a Red Hat thing.  It would run 
> asynchronously on the binary RPMS in pushed repositories.  If Fedora 
> contributors are interested in helping to better automate this they are 
> free to do so.

Erm... doesn't coverity need _source_?

> 
> This way Fedora and upstream benefits from Coverity analysis, and Fedora 
>   remains ideologically pure.

*cough* Core buildsys *cough*

josh