On Wed, 2006-08-30 at 18:10 -0400, Warren Togami wrote: > We have been trying to keep Fedora's Infrastructure completely FOSS for > the purpose of making it reproducible and easy to contribute > improvements. This is a noble goal. > > Comparing Coverity to Bitkeeper is not a fair comparison because Fedora > and any projects that reproduce it would not depend on it. Coverity > would in part protect Fedora, but this really is a tool for improving > upstream projects, and Fedora would just make it easier to funnel > analysis and reports. > > We have long wanted to implement post-build check reports in order to > improve package quality in an automated fashion. Coverity could just be > another post-build check in that list. > > On the other hand, we may want to implement Coverity in a different way > than post-check. The output needs to be kept private to the individual > package owners and possibly security group people so security embargoes > can be handled in a responsible way in cooperation with upstream > projects. We also want to avoid slowing down the build, sign and push > process any further. > > My Proposal > ========== > A good compromise would be for Coverity to be run outside of the scope > of the Fedora Project as just a Red Hat thing. It would run > asynchronously on the binary RPMS in pushed repositories. If Fedora > contributors are interested in helping to better automate this they are > free to do so. Note that we may not be able to deploy the Coverity bits on the same build machines that Extras packages are built on right now; mainly because the people who have access to those machines are not employed by Red Hat. There's an open question as to whether Coverity will permit non-Red Hat contributors access to machines that run the proprietary Coverity binaries (which contain a fair amount of their IP and trade secrets and such) without signing some legal document. The sensitive bits are precisely those that run during the package build. I think the easiest solution at the current time is to run the Coverity scans on one or two parallel machines that harvest successful build results from the actual Extras buildsystem, and which non-Red Hat people don't have shell access to. Furthermore, this ensures that released Extras packages are fully externally reproducible, since the Coverity scanner sits between the build scripts and GCC. The web-based reports portal would be still be accessible to package maintainers of course. Like Warren says, then there's no slowdown for the build system, we stay clear of any difficult contractual or legal issues related to access to Coverity binaries, and the packages are completely externally reproducible. Is there any extra hardware available? The Coverity bits don't run on PPC yet either, they are i386 & x86-64 only right now, so we don't need any more OpenPOWER boxes, only a few more Dells. Dan > This way Fedora and upstream benefits from Coverity analysis, and Fedora > remains ideologically pure. > > Thoughts? > > Warren Togami > wtogami@xxxxxxxxxx >
