Hi Markus, On Thu, 7 Apr 2022, Markus Vervier wrote: > On 4/6/22 00:17, Johannes Schindelin wrote: > > On Fri, 1 Apr 2022, Markus Vervier wrote: > > > X41 is processing the current RfP > > would you kindly provide a bit more context? This seems to come right out > > of left field. Is "RfP" a "Request for Proposals"? If so, I am not aware > > that the git developer team submitted one... > > thank you and everyone else for their comments. To clear up the context: > > The OSTIF (https://ostif.org) is organizing a security audit for git > and one of the questions was about Coverity and if the results it gave in the > past could be verified and/or improved. Thank you for the context! If OSTIF can help us get better support from Coverity (as you can see at https://github.com/git-for-windows/build-extra/commit/23eea104 I could have wished for a better experience there), I am all for it! Out of curiosity: are you (or is OSTIF) affiliated with Synopsys somehow? If not, have you considered if you could help us getting a comprehensive CodeQL coverage instead? Theoretically, CodeQL should be able to do the same as Coverity, while allowing us to tweak the analysis in a lot more powerful ways than Coverity (most notably, it should allow us to reduce the number of false positives rather dramatically). It is the number of knobs CodeQL allows that has looked too daunting for me to give it more than a cursory try [*1*]. Thank you, Johannes Footnote *1*: I had played with CodeQL last year but was called away to a more pressing project, therefore this is woefully incomplete: https://github.com/git-for-windows/git/compare/main...dscho:codeql