We have been trying to keep Fedora's Infrastructure completely FOSS for
the purpose of making it reproducible and easy to contribute
improvements. This is a noble goal.
Comparing Coverity to Bitkeeper is not a fair comparison because Fedora
and any projects that reproduce it would not depend on it. Coverity
would in part protect Fedora, but this really is a tool for improving
upstream projects, and Fedora would just make it easier to funnel
analysis and reports.
We have long wanted to implement post-build check reports in order to
improve package quality in an automated fashion. Coverity could just be
another post-build check in that list.
On the other hand, we may want to implement Coverity in a different way
than post-check. The output needs to be kept private to the individual
package owners and possibly security group people so security embargoes
can be handled in a responsible way in cooperation with upstream
projects. We also want to avoid slowing down the build, sign and push
process any further.
My Proposal
==========
A good compromise would be for Coverity to be run outside of the scope
of the Fedora Project as just a Red Hat thing. It would run
asynchronously on the binary RPMS in pushed repositories. If Fedora
contributors are interested in helping to better automate this they are
free to do so.
This way Fedora and upstream benefits from Coverity analysis, and Fedora
remains ideologically pure.
Thoughts?
Warren Togami
wtogami@xxxxxxxxxx
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
