On Wed, 2006-08-30 at 18:10 -0400, Warren Togami wrote: > We have been trying to keep Fedora's Infrastructure completely FOSS for > the purpose of making it reproducible and easy to contribute > improvements. This is a noble goal. Which infrastructure? Extras or Core. Because if you mean Fedora in general, then I'm sorry but that's a bit off. The Core buildsys is not open sourced. > > Comparing Coverity to Bitkeeper is not a fair comparison because Fedora > and any projects that reproduce it would not depend on it. Coverity > would in part protect Fedora, but this really is a tool for improving > upstream projects, and Fedora would just make it easier to funnel > analysis and reports. Yes. > We have long wanted to implement post-build check reports in order to > improve package quality in an automated fashion. Coverity could just be > another post-build check in that list. Yes. > On the other hand, we may want to implement Coverity in a different way > than post-check. The output needs to be kept private to the individual > package owners and possibly security group people so security embargoes > can be handled in a responsible way in cooperation with upstream > projects. We also want to avoid slowing down the build, sign and push > process any further. > > My Proposal > ========== > A good compromise would be for Coverity to be run outside of the scope > of the Fedora Project as just a Red Hat thing. It would run > asynchronously on the binary RPMS in pushed repositories. If Fedora > contributors are interested in helping to better automate this they are > free to do so. Erm... doesn't coverity need _source_? > > This way Fedora and upstream benefits from Coverity analysis, and Fedora > remains ideologically pure. *cough* Core buildsys *cough* josh -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
