[Fedora-infrastructure-list] Re: coverity code checker in Extras

Dan Williams dcbw at redhat.com
Thu Aug 31 20:20:12 UTC 2006 

On Wed, 2006-08-30 at 18:10 -0400, Warren Togami wrote:
> We have been trying to keep Fedora's Infrastructure completely FOSS for 
> the purpose of making it reproducible and easy to contribute 
> improvements.  This is a noble goal.
> 
> Comparing Coverity to Bitkeeper is not a fair comparison because Fedora 
> and any projects that reproduce it would not depend on it.  Coverity 
> would in part protect Fedora, but this really is a tool for improving 
> upstream projects, and Fedora would just make it easier to funnel 
> analysis and reports.
> 
> We have long wanted to implement post-build check reports in order to 
> improve package quality in an automated fashion.  Coverity could just be 
> another post-build check in that list.
> 
> On the other hand, we may want to implement Coverity in a different way 
> than post-check.  The output needs to be kept private to the individual 
> package owners and possibly security group people so security embargoes 
> can be handled in a responsible way in cooperation with upstream 
> projects.  We also want to avoid slowing down the build, sign and push 
> process any further.
> 
> My Proposal
> ==========
> A good compromise would be for Coverity to be run outside of the scope 
> of the Fedora Project as just a Red Hat thing.  It would run 
> asynchronously on the binary RPMS in pushed repositories.  If Fedora 
> contributors are interested in helping to better automate this they are 
> free to do so.

Note that we may not be able to deploy the Coverity bits on the same
build machines that Extras packages are built on right now; mainly
because the people who have access to those machines are not employed by
Red Hat.  There's an open question as to whether Coverity will permit
non-Red Hat contributors access to machines that run the proprietary
Coverity binaries (which contain a fair amount of their IP  and trade
secrets and such) without signing some legal document.  The sensitive
bits are precisely those that run during the package build.

I think the easiest solution at the current time is to run the Coverity
scans on one or two parallel machines that harvest successful build
results from the actual Extras buildsystem, and which non-Red Hat people
don't have shell access to.  Furthermore, this ensures that released
Extras packages are fully externally reproducible, since the Coverity
scanner sits between the build scripts and GCC.  The web-based reports
portal would be still be accessible to package maintainers of course.

Like Warren says, then there's no slowdown for the build system, we stay
clear of any difficult contractual or legal issues related to access to
Coverity binaries, and the packages are completely externally
reproducible.

Is there any extra hardware available?  The Coverity bits don't run on
PPC yet either, they are i386 & x86-64 only right now, so we don't need
any more OpenPOWER boxes, only a few more Dells.

Dan

> This way Fedora and upstream benefits from Coverity analysis, and Fedora 
>   remains ideologically pure.
> 
> Thoughts?
> 
> Warren Togami
> wtogami at redhat.com
>

More information about the infrastructure mailing list