----- Original Message ----- > Hi > > > On Tue, Dec 17, 2013 at 12:47 PM, Daniel P. Berrange wrote: > > > The issues reported against libvirt all appear to be false positives. > Not entirely surprising since we already have coverity run against > libvirt code nightly. > > Thanks for the quick response. Does Red Hat run it only for packages in RHEL > or it is run against all Fedora packages? If not, would it be possible for > Red Hat to do so and publish the results on a regular basis? That might be a > useful service. We run the scans also on Fedora packages regularly. However I'm not sure if also for fedora packages that doesn't have Red Hat maintainers. Any Red Hat Engineer has the Coverity tool available to use and can scan any open-source project with it. I personally scanned some network daemons like BIND, ISC DHCP, dnsmasq, unbound, Squid, and also couple of other projects and sent a ton of patches to upstream projects. Now I'm doing only scans for possible added issues, when there is a new version. Publishing scan results for all Fedora packages might not be very good idea, since the static analysis can find issues with possible security impact. Also Coverity offers their tool to open-source projects for free [1]. I think some projects are already using it (at least Squid). So if upstream projects are interested, they can sign up for free. [1] https://scan.coverity.com/ Regards, Tomas Hozza -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
