Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: MythTV: Dev

status of MythTV wrt Coverity Scan

 

 

First page Previous page 1 2 Next page Last page  View All MythTV dev RSS feed   Index | Next | Previous | View Threaded


eric at lisaneric

May 6, 2012, 11:27 AM

Post #1 of 38 (3064 views)
Permalink
status of MythTV wrt Coverity Scan

Hi all,

I was just wondering if there was any interest in enrolling MythTV in
the Coverity Scan program.

If you're not familiar with Coverity, it's a static analysis tool that
looks for potential bugs in code, like gcc warnings on steroids. It's
a commercial product which the makers make available to open source
projects at no cost.

http://scan.coverity.com/about.html

I noticed that MythTV is not on the list of participating projects.
Google turns up some references to MythTV and Coverity from around
2008 including this chat log:

09:42 <danielk22> I did try to contact coverity about getting MythTV
into their scan program, but they never got back to me.
09:42 <stuarta> using that admin address in the FAQ?
09:42 <danielk22> yup
09:44 <danielk22> I also tried contacting them through their main web
page, but then I just got sales people who knew nothing about the
program contacting me every few days.

and a few tickets that mention Coverity as having uncovered the bug
(e.g. #5549) but nothing recent.

Would anyone be interested in making use of this tool? If so I can
contact them and see if I can set it up.

Eric Sharkey
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


stuart at tase

May 6, 2012, 11:38 AM

Post #2 of 38 (2991 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Sunday 06 May 2012 14:27:42 Eric Sharkey wrote:
> Hi all,
>
> I was just wondering if there was any interest in enrolling MythTV in
> the Coverity Scan program.

We've tried time and time again over a period of several years now, they
haven't even had the decency to acknowledge our emails.

> Would anyone be interested in making use of this tool? If so I can
> contact them and see if I can set it up.

Without doubt we'd be interested, and if you've got some sort of 'in' with
them that might make it happen then please give it a go.
--
Stuart Morgan
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 6, 2012, 1:54 PM

Post #3 of 38 (2992 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Sun, May 6, 2012 at 2:38 PM, Stuart Morgan <stuart [at] tase> wrote:
> On Sunday 06 May 2012 14:27:42 Eric Sharkey wrote:
>> I was just wondering if there was any interest in enrolling MythTV in
>> the Coverity Scan program.
>
> We've tried time and time again over a period of several years now, they
> haven't even had the decency to acknowledge our emails.

I find this hard to believe. (Not that I doubt what you say is true.)

>> Would anyone be interested in making use of this tool? If so I can
>> contact them and see if I can set it up.
>
> Without doubt we'd be interested, and if you've got some sort of 'in' with
> them that might make it happen then please give it a go.

Hardly. I work for a company that writes software. We're currently
in the 30-day free trial period for a commercial license to Coverity
so I've been working with it for the past week or so. I am not a
decision maker in this process, but I'm among the people evaluating
the tool. I'm not sure if that's much of an "in".

I'll try to contact them and see if I can get at least a response.
The scan project FAQ makes it clear that they only want to talk to
official developers for a project, while I've just be a MythTV user
and frequent mythtv-users mailing list poster up till now, but with
your blessing I'll go ahead.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 6, 2012, 8:00 PM

Post #4 of 38 (2987 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Sun, May 6, 2012 at 2:38 PM, Stuart Morgan <stuart [at] tase> wrote:
> On Sunday 06 May 2012 14:27:42 Eric Sharkey wrote:
>> Hi all,
>>
>> I was just wondering if there was any interest in enrolling MythTV in
>> the Coverity Scan program.
>
> We've tried time and time again over a period of several years now, they
> haven't even had the decency to acknowledge our emails.

Apparently they're more cooperative now. I got a positive response
from them within four hours of writing to them, on a Sunday afternoon
at that.

--------
Hi Eric,

Thank you for your interest in Coverity Scan.
Your project does qualify for the Coverity Scan analysis as it does
meet the Open Source Licensing requirement.
But we just want to re-iterate that the use of Coverity SCAN is
limited to Open Source projects only and furthermore, it is limited to
only those who are developers /contributors or owner of the Open
Source project.

0. There are three steps to analyze a codebase: build, analyze, and commit.
1. You do the build step, then tar up the intermediate representation
and stick it somewhere we can get it by http.
2. Our scripts wget it, analyze it, commit it to the DB and you get
the notification when results will be available to view online after
commit.

Instructions and build tools are here:
http://scan.coverity.com/self-build/

(Our recent experience has been that pretty much everybody builds on
Linux; if you need something else, assuming we support it there will
be a short delay while we build a tools package for your platform.)

We'll start out cranking through the process by hand, only for the
first time, so we can make sure there are no problems in the build and
fix any we find, so once you've built and tarred up an intermediate
directory, just reply to this message with a URL to it, and we'll take
it from there.

For the subsequent future build, you can make Coverity build as a part
of your regular nightly/weekly build, similar to other Open Source
project and automate entire process with no need for any emails or
manual intervention.

Please let me know if you have any trouble with or questions about the
build process, of course, and thank you for your interest in Scan!

Thanks
Dakshesh Vyas | Technical Manager - SCAN
--------

I'll see if I can get a build done with the Coverity analyzer
tomorrow. Unless someone has another opinion, I'll use the fixes/0.25
branch built on x86-64.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


stuart at tase

May 7, 2012, 8:07 AM

Post #5 of 38 (2964 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Sunday 06 May 2012 23:00:36 Eric Sharkey wrote:
> I'll see if I can get a build done with the Coverity analyzer
> tomorrow. Unless someone has another opinion, I'll use the fixes/0.25
> branch built on x86-64.

We should use master, since it's better to fix new bugs before they make it
into the next release.

We can use one of the buildbots to supply the binaries they need. We should
discuss that with Gavin.
--
Stuart Morgan
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 7, 2012, 8:34 AM

Post #6 of 38 (2965 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 11:07 AM, Stuart Morgan <stuart [at] tase> wrote:
> On Sunday 06 May 2012 23:00:36 Eric Sharkey wrote:
>> I'll see if I can get a build done with the Coverity analyzer
>> tomorrow. Unless someone has another opinion, I'll use the fixes/0.25
>> branch built on x86-64.
>
> We should use master, since it's better to fix new bugs before they make it
> into the next release.

Coverity has a concept that they call "streams" which are kind of like
branches, but often a single branch might have multiple streams if it
can be compiled more than one way (e.g., compiled with/without
debugging, etc.). Coverity can test all these streams and coordinate
the defect reports across streams. Ultimately you'll want to have a
stream for master and another stream for the latest fixes branch. I
thought it would be simpler, on the first run, to start with a fixes
branch as that should be more stable, then add a stream for master
once the mechanics of using Coverity are better understood.

At this point in time, I would expect the vast majority of defect
reports will be shared by fixes/0.25 and master.

> We can use one of the buildbots to supply the binaries they need. We should
> discuss that with Gavin.

Eventually it should all be automated, yes, but again, I think doing
the first submission by hand would make sense, then all the developers
can look at the results and see if there's even interest in continuing
to use the tool.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


erik at hovland

May 7, 2012, 8:43 AM

Post #7 of 38 (3002 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 8:34 AM, Eric Sharkey <eric [at] lisaneric> wrote:
> On Mon, May 7, 2012 at 11:07 AM, Stuart Morgan <stuart [at] tase> wrote:
>> On Sunday 06 May 2012 23:00:36 Eric Sharkey wrote:
>>> I'll see if I can get a build done with the Coverity analyzer
>>> tomorrow. Unless someone has another opinion, I'll use the fixes/0.25
>>> branch built on x86-64.
>>
>> We should use master, since it's better to fix new bugs before they make it
>> into the next release.
>
> Coverity has a concept that they call "streams" which are kind of like
> branches, but often a single branch might have multiple streams if it
> can be compiled more than one way (e.g., compiled with/without
> debugging, etc.). Coverity can test all these streams and coordinate
> the defect reports across streams. Ultimately you'll want to have a
> stream for master and another stream for the latest fixes branch. I
> thought it would be simpler, on the first run, to start with a fixes
> branch as that should be more stable, then add a stream for master
> once the mechanics of using Coverity are better understood.

You are better off starting w/ master. It is the branch that will
matter going forward and it is easier to back port fixes then work like
heck to get defect fixes into a mostly frozen tree and then forward
port.

E

--
Erik Hovland
erik [at] hovland
http://hovland.org/
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 7, 2012, 9:14 AM

Post #8 of 38 (2962 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 11:43 AM, Erik Hovland <erik [at] hovland> wrote:
> You are better off starting w/ master. It is the branch that will
> matter going forward and it is easier to back port fixes then work like
> heck to get defect fixes into a mostly frozen tree and then forward
> port.

I still don't understand this logic. Why would a defect report in the
fixes branch necessitate a fix in the fixes branch? If the bug is
serious, you'll want to fix it in all branches. If it's not very
serious, you'll fix it in master only. This is independent of the
branch where the bug is found.

I'll prepare builds for both master and 0.25 fixes and check back on
this list before actually submitting anything to Coverity.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


gary.buhrmaster at gmail

May 7, 2012, 9:34 AM

Post #9 of 38 (2973 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 4:14 PM, Eric Sharkey <eric [at] lisaneric> wrote:
....
> I still don't understand this logic.

The logic that matters is that master is undergoing
fixes and new codes. It is "the lastest and greatest".
Existing bugs found (if serious) would be back-ported
to compatible versions (sometimes it is not worth the
trouble for, say, something like 0.21), but more
importantly, you want the codes you are developing
to be the best they can be(*). Static and dynamic
analysis helps that, and while the developers are
good, they have, from time to time, introduced new
bugs in the new codes they are working on and
you would prefer to find those bugs in the codes
before "shipping". Every analysis tool finds a
different set of bugs (cppcheck and scan-build,
for example, have both resulted in fixes in different
sections of the codes). The more the merrier. And
you want to (first) target your upcoming release(s).

Gary

(*) For example, jya just (essentially) rewrote the
entire ROAP codes. What matters is less what was,
than what will be.
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 7, 2012, 9:47 AM

Post #10 of 38 (2958 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 12:34 PM, Gary Buhrmaster
<gary.buhrmaster [at] gmail> wrote:
> And you want to (first) target your upcoming release(s).

Isn't the next release posted as the current release on mythtv.org
likely to be built from fixes/0.25?

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


james.dutton at gmail

May 7, 2012, 10:00 AM

Post #11 of 38 (2966 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On 6 May 2012 19:27, Eric Sharkey <eric [at] lisaneric> wrote:
> Hi all,
>
> I was just wondering if there was any interest in enrolling MythTV in
> the Coverity Scan program.
>
> If you're not familiar with Coverity, it's a static analysis tool that
> looks for potential bugs in code, like gcc warnings on steroids.  It's
> a commercial product which the makers make available to open source
> projects at no cost.
>
> http://scan.coverity.com/about.html
>
> I noticed that MythTV is not on the list of participating projects.
> Google turns up some references to MythTV and Coverity from around
> 2008 including this chat log:
>
> 09:42   <danielk22>     I did try to contact coverity about getting MythTV
> into their scan program, but they never got back to me.
> 09:42   <stuarta>       using that admin address in the FAQ?
> 09:42   <danielk22>     yup
> 09:44   <danielk22>     I also tried contacting them through their main web
> page, but then I just got sales people who knew nothing about the
> program contacting me every few days.
>
> and a few tickets that mention Coverity as having uncovered the bug
> (e.g. #5549) but nothing recent.
>
> Would anyone be interested in making use of this tool?  If so I can
> contact them and see if I can set it up.
>

Hi,

I am a developer on the xine project.
We used Coverity, and although a lot of the items it highlighted were
not bugs, it did spot some bugs that were well worth fixing.
So, on balance, I think it is well worth it, being that it is free,
except the time it takes for us to scan through the items to identify
the actual bugs from the noise.
For us, we did not have to deliver any source code to them. They just
grabbed it from our SVN repository at the time.
I do not know if xine still uses Coverity or not.

Kind Regards

James
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


erik at hovland

May 7, 2012, 10:03 AM

Post #12 of 38 (2960 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 9:47 AM, Eric Sharkey <eric [at] lisaneric> wrote:
> On Mon, May 7, 2012 at 12:34 PM, Gary Buhrmaster
> <gary.buhrmaster [at] gmail> wrote:
>> And you want to (first) target your upcoming release(s).
>
> Isn't the next release posted as the current release on mythtv.org
> likely to be built from fixes/0.25?

No, the next release of MythTV will be from master.

E

--
Erik Hovland
erik [at] hovland
http://hovland.org/
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


gary.buhrmaster at gmail

May 7, 2012, 10:19 AM

Post #13 of 38 (2967 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 5:03 PM, Erik Hovland <erik [at] hovland> wrote:
> On Mon, May 7, 2012 at 9:47 AM, Eric Sharkey <eric [at] lisaneric> wrote:
....
>> Isn't the next release posted as the current release on mythtv.org
>> likely to be built from fixes/0.25?
>
> No, the next release of MythTV will be from master.

I think this is an issue of the overloading of the term
release.

The 0.26 release will be based on git master.
The 0.25.1 release will be based on git fixes/0.25.

It seems likely that a 0.25.1 release will happen
before 0.26, but that is up to the devs (I suspect
there will be a 0.25.1, but since I have heard that
there are thoughts to move to a faster release
cycle, there may never be a 0.25.2 before 0.26).

However, at this time, the only codes that I have
seen committed to fixes/0.25 are first committed
to master (and then cherry picked for fixes/0.25).
So, all the codes that currently matter are in
master, and all the codes that will matter are
in master.

Gary
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 7, 2012, 10:46 AM

Post #14 of 38 (2962 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 1:00 PM, James Courtier-Dutton
<james.dutton [at] gmail> wrote:
> although a lot of the items it highlighted were
> not bugs, it did spot some bugs that were well worth fixing.
> So, on balance, I think it is well worth it, being that it is free,

This mirrors my experience with Coverity in a commercial setting,
except for the free bit.

It will catch a lot of hard to reproduce cases that won't be caught by
general testing but may definitely affect users.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 7, 2012, 1:54 PM

Post #15 of 38 (2971 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 12:14 PM, Eric Sharkey <eric [at] lisaneric> wrote:
> I'll prepare builds for both master and 0.25 fixes and check back on
> this list before actually submitting anything to Coverity.

Ok, I have a build done.

1836 C/C++ compilation units (99%) are ready for analysis
The cov-build utility completed successfully.

Since everyone seemed to want master, I did master. I only did the
core mythtv sources, not the plugins. Is there any reason not to go
ahead and submit this to Coverity tonight?

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 7, 2012, 6:32 PM

Post #16 of 38 (2947 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 4:54 PM, Eric Sharkey <eric [at] lisaneric> wrote:
> Ok, I have a build done.
>
> 1836 C/C++ compilation units (99%) are ready for analysis
> The cov-build utility completed successfully.
>
> Since everyone seemed to want master, I did master. I only did the
> core mythtv sources, not the plugins. Is there any reason not to go
> ahead and submit this to Coverity tonight?

This is now done.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 7, 2012, 7:44 PM

Post #17 of 38 (2940 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Mon, May 7, 2012 at 9:32 PM, Eric Sharkey <eric [at] lisaneric> wrote:
>> Is there any reason not to go
>> ahead and submit this to Coverity tonight?
>
> This is now done.

They're really on top of things.

Coverity response:

----

Thanks Eric, build looks good..

We will inform you once the build is analyzed and committed...
It might take a while before the results are available...

----

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 9, 2012, 1:37 PM

Post #18 of 38 (2925 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

> It might take a while before the results are available...

Results are available now. All in all it looks pretty clean, with
only 994 defect reports.

Dakshesh pointed out a systematic false positive pattern because
Coverity does not know by analyzing the MythTV sources that the Qt
function quit() does not return and suggested a few ways to work
around this, but I think it's better to poke around and take a look at
what's there now, with the knowledge that there are ways to make it
better.

I'll be sending login information to individuals shortly.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 9, 2012, 2:19 PM

Post #19 of 38 (2923 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Wed, May 9, 2012 at 4:37 PM, Eric Sharkey <eric [at] lisaneric> wrote:
> I'll be sending login information to individuals shortly.

Actually I'm not sure who, beyond Stuart, wants/needs/should have access.

Coverity's position is that access should be restricted to official
developers based on responsible disclosure rules for potential
security vulnerabilities.

On the other hand, there's nothing revealed here that anyone with a
commercial Coverity license couldn't get own.

if you would like an account, please let me know.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


stuart at tase

May 9, 2012, 4:16 PM

Post #20 of 38 (2909 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Wednesday 09 May 2012 16:37:54 Eric Sharkey wrote:
> > It might take a while before the results are available...
>
> Results are available now. All in all it looks pretty clean, with
> only 994 defect reports.

350+ of those alone in ffmpeg, i.e. not our code. I don't suppose there is any
way to ignore the third party libs we've included into our code base?

--
Stuart Morgan
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 9, 2012, 4:31 PM

Post #21 of 38 (2916 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Wed, May 9, 2012 at 7:16 PM, Stuart Morgan <stuart [at] tase> wrote:
> 350+ of those alone in ffmpeg, i.e. not our code. I don't suppose there is any
> way to ignore the third party libs we've included into our code base?

In the top left there's a panel called "Filters" that lets you narrow
down the defect list. Under the File: section, add regular
expressions for the locations you want to look for defects. Searching
for bugs in "/libs/*" wouldn't show anything in ffmpeg, since that's
not under libs.

Personally, I find it easiest to browse by file. Go to the files tab
at the top, open up the tree and pick some files with code you're
familiar with, then walk down the defect list in the annotated source
for the file.

The user interface is pretty good. Most of it you can figure out with
a little playing around.

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


stuart at tase

May 9, 2012, 4:49 PM

Post #22 of 38 (2910 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Thursday 10 May 2012 00:16:36 Stuart Morgan wrote:
> On Wednesday 09 May 2012 16:37:54 Eric Sharkey wrote:
> > > It might take a while before the results are available...
> >
> > Results are available now. All in all it looks pretty clean, with
> > only 994 defect reports.
>
> 350+ of those alone in ffmpeg, i.e. not our code. I don't suppose there is
> any way to ignore the third party libs we've included into our code base?

When I 'ignore' all those warnings which aren't in our code then just 360 of
that 994 figure are left.

Of that 360 just a third are rated as 'high impact' and of those many are
still trivial or false positives. It will take me a while to work through them
and figure out how many of these deserve a fix.
--
Stuart Morgan
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


eric at lisaneric

May 9, 2012, 5:03 PM

Post #23 of 38 (2925 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Wed, May 9, 2012 at 7:49 PM, Stuart Morgan <stuart [at] tase> wrote:
> Of that 360 just a third are rated as 'high impact' and of those many are
> still trivial or false positives. It will take me a while to work through them
> and figure out how many of these deserve a fix.

I don't think Coverity does a particularly good job at impact
assessment. There can be some serious problems that don't have a high
impact rating.

I see you modified #700472 with action ignore but you didn't set
classification false positive (which is what I was about to do). Was
that intentional?

Eric
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


stuart at tase

May 9, 2012, 5:18 PM

Post #24 of 38 (2922 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Wednesday 09 May 2012 17:19:13 Eric Sharkey wrote:
> On Wed, May 9, 2012 at 4:37 PM, Eric Sharkey <eric [at] lisaneric> wrote:
> > I'll be sending login information to individuals shortly.
>
> Actually I'm not sure who, beyond Stuart, wants/needs/should have access.
>
> Coverity's position is that access should be restricted to official
> developers based on responsible disclosure rules for potential
> security vulnerabilities.
>
> On the other hand, there's nothing revealed here that anyone with a
> commercial Coverity license couldn't get own.

We should restrict it to official devs for now because it's not a read-only
thing and we don't want just anyone modifying the severity/resolution of
warnings. Much as the help would be appreciated we don't want the hard work of
triaging to be undone either accidentally or maliciously.

An official dev is anyone with a mythtv.org email address and we should sign
people up with those addresses.
--
Stuart Morgan
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev


stuart at tase

May 9, 2012, 5:19 PM

Post #25 of 38 (2921 views)
Permalink
Re: status of MythTV wrt Coverity Scan [In reply to]

On Wednesday 09 May 2012 20:03:13 Eric Sharkey wrote:
> I see you modified #700472 with action ignore but you didn't set
> classification false positive (which is what I was about to do). Was
> that intentional?

I bulk set any external libs that aren't maintained by us to 'ignore', that
included #700472 because libhdhomerun is maintained by SiliconDust

--
Stuart Morgan
_______________________________________________
mythtv-dev mailing list
mythtv-dev [at] mythtv
http://www.mythtv.org/mailman/listinfo/mythtv-dev

First page Previous page 1 2 Next page Last page  View All MythTV dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.