Re: Coverity Open Source Defect Scan of Linux

[Adrian Bunk <bunk@stusta.de>]

On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:

> Hello Linux Developers,


Hi Ben,


>   I'm the CTO of Coverity, Inc., a company that does static source code 
> analysis to look for defects in code. You may have heard of us or of our 
> technology from its days at Stanford (the "Stanford Checker"). The 
> reason I'm writing is because we have set up a framework internally to 
> continually scan open source projects and provide the results of our 
> analysis back to the developers of those projects. Linux is one of the 
> 32 projects currently scanned at:
> 
> http://scan.coverity.com
>...
>   Right now, we're guarding access to the actual defects that we report 
> for a couple of reasons: (1) We think that you, as developers of Linux, 
> should have the chance to look at the defects we find to patch them 
> before random other folks get to see what we found and (2) From a 
> support perspective, we want to make sure that we have the appropriate 
> time to engage with those who want to use the results to fix the code. 
> Because of this second point, I'd ask that if you are interested in 
> really digging into the results a bit further for your project, please 
> have a couple of core maintainers (or group nominated individuals) reach 
> out to me to request access. As this is a new process for us and still 
> involves a small number of packages, I want to make sure that I 
> personally can be involved with the activity that is generated from this 
> effort.
>...


It seems there is some internal communication problem inside your 
company:

This is far from being a "new process", you already offered this for 
some time at http://linuxbugsdb.coverity.com/ (with the exception that 
you stopped updating the results half a year ago).

If you as the CTO didn't know about this it is giving a very bad 
impression of your company.

Some questions regarding this move:
- can you migrate the accounts from linuxbugsdb.coverity.com?
- are the comments Linux kernel developers like me did at 
  linuxbugsdb.coverity.com migrated to scan.coverity.com or was this 
  wasted work?


Another thing you could give a small clarification about:
Your email sounds as if your offer was like a charity offer from 
Coverity, Inc.

OTOH, I remember press rumors of Coverity, Inc getting 297 000 Dollar 
for this from the Department of Homeland Security.

I'm sure you are not silently omitting that you are getting public 
fundings for what you are offering, but an official statement would be 
nice.

 
> -ben


cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed