On Wed, 2006-08-30 at 13:11 -0500, Jason L Tibbitts III wrote: > >>>>> "TM" == Till Maas <opensource@xxxxxxxxx> writes: > > TM> what is it really, what is going to happen if we accept their > TM> offer? Will every package in Extras be scanned? > > I don't think their technology would support that; as far as I know > they can't do anything with Perl or Python or the like. > Yes. I asked them at linuxworld and they seem to be focusing on traditional compiled languages. If I recall it was C and C++ right now, Java very soon. > What I find to be of more concern is what maintainers are expected to > do with that information. In most cases all we'd be able to do is > pass the reports upstream, which I suppose would be OK but might be a > bit much to ask some maintainers (i.e. the ones with 50+ packages) to > handle. Ideally Coverity would just deal directly with upstream and > extras wouldn't need to be involved. We could have a coverity SIG. that helped pass reports upstream. Or we could see if coverity is open to allowing upstream maintainers direct access to their reports. Then Extras is a partnership with Coverity -- we are a kind of filter for open source packages that are of interest to the community and provide some infrastructure to help run their scanner. They provide the scanner and generate the reports. If I understand correctly, the coverity proprietary stuff will run on our servers and the reports will be viewable over the web. No proprietary packages are needed in the distribution or Extras itself. Under these terms I think it's generally a good thing. We'd need to hash out how it fits in infrastructure-wise and how we're going to distribute the information but those are details we can take care of later. Finding out how coverity sees us distributing the data and how much overhead this is going to bring (will it double the time spent building packages? Will it run on another machine and simply scan the cvs repository and lookaside cache?) are the only questions that come to mind. -Toshio
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
