Subject: Re: [boost] Coverity Static Code Analysis
From: Phil Endecott (spam_from_boost_dev_at_[hidden])
Date: 2009-02-04 09:21:23
Gennaro Prota wrote:
> Marshall Clow wrote:
>> At 3:02 PM -0500 2/3/09, Michael Fawcett wrote:
>>> Purely out of curiosity, how come Boost isn't at Rung 1 in the
>>> Coverity Scan Ladder?
>>> Boost and Boost.Build are both listed in Rung 0, so it appears that
>>> the only step left is selecting a Boost/Coverity liaison.
>> I don't have a problem signing up as a laison and helping people get
>> stuff fixed, but I think that someone with a bit of legal training needs
>> to look at the license that Coverity wants people to agree to before
>> using the scan results. [ It looks pretty harmless to me, but IANAL ]
> Well, since you brought up the issue... I'm not a lawyer either,
> but I'd *not* agree to anything like:
> Coverity may, in its sole discretion, modify or revise these
> terms and conditions and policies at any time, and you agree
> to be bound by such modifications or revisions.
> That's the fourth line of text, and I quitted reading.
That's not great, is it? But if you read on a bit further a more
practical problem becomes apparent (if I have understood it correctly):
the person who registers with them is allowed to see the analysis but
they're not allowed to reveal it to anyone else (e.g. by posting to
this list), except indirectly by posting the bug fixes. I can see that
that might work for some projects, but for a collection of sub-projects
like Boost where no-one has expert understanding of everything, it
doesn't seem appropriate.
For what it's worth, I do believe that their tool does useful things.
For example I guess that it could have found the bug in
interprocess::sp_counted_impl.hpp that was reported a few days ago.
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk