2006-03-06 05:35:10

by Ben Chelf

[permalink] [raw]
Subject: Coverity Open Source Defect Scan of Linux

Hello Linux Developers,

I'm the CTO of Coverity, Inc., a company that does static source code
analysis to look for defects in code. You may have heard of us or of our
technology from its days at Stanford (the "Stanford Checker"). The
reason I'm writing is because we have set up a framework internally to
continually scan open source projects and provide the results of our
analysis back to the developers of those projects. Linux is one of the
32 projects currently scanned at:

http://scan.coverity.com

My belief is that we (Coverity) must reach out to the developers of
these packages (you) in order to make progress in actually fixing the
defects that we happen to find, so this is my first step in that
mission. Of course, I think Coverity technology is great, but I want to
hear what you think and that's why I worked with folks at Coverity to
put this infrastructure in place. The process is simple -- it checks out
your code each night from your repository and scans it so you can always
see the latest results.

Right now, we're guarding access to the actual defects that we report
for a couple of reasons: (1) We think that you, as developers of Linux,
should have the chance to look at the defects we find to patch them
before random other folks get to see what we found and (2) From a
support perspective, we want to make sure that we have the appropriate
time to engage with those who want to use the results to fix the code.
Because of this second point, I'd ask that if you are interested in
really digging into the results a bit further for your project, please
have a couple of core maintainers (or group nominated individuals) reach
out to me to request access. As this is a new process for us and still
involves a small number of packages, I want to make sure that I
personally can be involved with the activity that is generated from this
effort.

So I'm basically asking for people who want to play around with some
cool new technology to help make source code better. If this interests
you, please feel free to reach out to me directly. And of course, if
there are other packages you care about that aren't currently on the
list, I want to know about those too.

If this is the wrong list, my sincerest apologies and please let me
know where would be a more appropriate forum for this type of message.

Many thanks for reading this far...

-ben

Ben Chelf
Chief Technology Officer
Coverity, Inc.


2006-03-06 05:50:26

by Dave Jones

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:

> Right now, we're guarding access to the actual defects that we report
> for a couple of reasons: (1) We think that you, as developers of Linux,
> should have the chance to look at the defects we find to patch them
> before random other folks get to see what we found and (2) From a
> support perspective, we want to make sure that we have the appropriate
> time to engage with those who want to use the results to fix the code.
> Because of this second point, I'd ask that if you are interested in
> really digging into the results a bit further for your project, please
> have a couple of core maintainers (or group nominated individuals) reach
> out to me to request access. As this is a new process for us and still
> involves a small number of packages, I want to make sure that I
> personally can be involved with the activity that is generated from this
> effort.
>
> So I'm basically asking for people who want to play around with some
> cool new technology to help make source code better. If this interests
> you, please feel free to reach out to me directly. And of course, if
> there are other packages you care about that aren't currently on the
> list, I want to know about those too.

The last time I asked about access to your bug list, I was asked to
sign the equivalent of a non-compete agreement. Is this still in place?

Dave

--
http://www.codemonkey.org.uk

2006-03-06 10:27:31

by Adrian Bunk

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:

> Hello Linux Developers,


Hi Ben,


> I'm the CTO of Coverity, Inc., a company that does static source code
> analysis to look for defects in code. You may have heard of us or of our
> technology from its days at Stanford (the "Stanford Checker"). The
> reason I'm writing is because we have set up a framework internally to
> continually scan open source projects and provide the results of our
> analysis back to the developers of those projects. Linux is one of the
> 32 projects currently scanned at:
>
> http://scan.coverity.com
>...
> Right now, we're guarding access to the actual defects that we report
> for a couple of reasons: (1) We think that you, as developers of Linux,
> should have the chance to look at the defects we find to patch them
> before random other folks get to see what we found and (2) From a
> support perspective, we want to make sure that we have the appropriate
> time to engage with those who want to use the results to fix the code.
> Because of this second point, I'd ask that if you are interested in
> really digging into the results a bit further for your project, please
> have a couple of core maintainers (or group nominated individuals) reach
> out to me to request access. As this is a new process for us and still
> involves a small number of packages, I want to make sure that I
> personally can be involved with the activity that is generated from this
> effort.
>...


It seems there is some internal communication problem inside your
company:

This is far from being a "new process", you already offered this for
some time at http://linuxbugsdb.coverity.com/ (with the exception that
you stopped updating the results half a year ago).

If you as the CTO didn't know about this it is giving a very bad
impression of your company.

Some questions regarding this move:
- can you migrate the accounts from linuxbugsdb.coverity.com?
- are the comments Linux kernel developers like me did at
linuxbugsdb.coverity.com migrated to scan.coverity.com or was this
wasted work?


Another thing you could give a small clarification about:
Your email sounds as if your offer was like a charity offer from
Coverity, Inc.

OTOH, I remember press rumors of Coverity, Inc getting 297 000 Dollar
for this from the Department of Homeland Security.

I'm sure you are not silently omitting that you are getting public
fundings for what you are offering, but an official statement would be
nice.


> -ben


cu
Adrian

--

"Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
"Only a promise," Lao Er said.
Pearl S. Buck - Dragon Seed

2006-03-06 10:50:31

by Bernd Petrovitsch

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

Some improvements for the next press release (of Coverty, Inc.):

On Mon, 2006-03-06 at 11:27 +0100, Adrian Bunk wrote:
> On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:
> > Hello Linux Developers,
[...]
> > analysis back to the developers of those projects. Linux is one of the
^^^^^
should have been "The Linux kernel"
[...]
> > for a couple of reasons: (1) We think that you, as developers of Linux,
^^^^^
should have been "the Linux kernel"
[...]
> It seems there is some internal communication problem inside your
> company:

ACK.

> This is far from being a "new process", you already offered this for
> some time at http://linuxbugsdb.coverity.com/ (with the exception that
> you stopped updating the results half a year ago).
>
> If you as the CTO didn't know about this it is giving a very bad
> impression of your company.
[...]
Bernd
--
Firmix Software GmbH http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
Embedded Linux Development and Services

2006-03-06 11:04:19

by Michal Schmidt

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

Bernd Petrovitsch wrote:
> > > analysis back to the developers of those projects. Linux is one of the
> ^^^^^
> should have been "The Linux kernel"

Why? Are you afraid of confusion with Linux the washing powder?

Michal

2006-03-06 11:12:55

by Bernd Petrovitsch

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On Mon, 2006-03-06 at 12:03 +0100, Michal Schmidt wrote:
> Bernd Petrovitsch wrote:
> > > > analysis back to the developers of those projects. Linux is one of the
> > ^^^^^
> > should have been "The Linux kernel"
>
> Why? Are you afraid of confusion with Linux the washing powder?

No (that's actually the cobfusion I don't fear).
The word "Linux" used as above has lots of different interpretations
depending on who you ask (from "Linux kernel" to "Linux distribution" to
"open source software" and I won't try to guess what sales people in
their average ignorance would answer).
"The Linux kernel" is not that much longer much more accurate.

Yes, directly (and only) here on LKML there is probably no problem. But
these mails are also in some mail archives on the web .....

Bernd
--
Firmix Software GmbH http://www.firmix.at/
mobil: +43 664 4416156 fax: +43 1 7890849-55
Embedded Linux Development and Services

2006-03-06 11:57:49

by Gene Heskett

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On Monday 06 March 2006 06:03, Michal Schmidt wrote:
>Bernd Petrovitsch wrote:
>> > > analysis back to the developers of those projects. Linux is one
>> > > of the
>>
>> ^^^^^
>> should have been "The Linux kernel"
>
>Why? Are you afraid of confusion with Linux the washing powder?
>
If there is indeed a linux washing powder, where might it be obtained?
I get a bad case of contact dermatitus when I use the regular stuff from
M$.

>Michal
>-
>To unsubscribe from this list: send the line "unsubscribe
> linux-kernel" in the body of a message to [email protected]
>More majordomo info at http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at http://www.tux.org/lkml/

--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

2006-03-06 12:38:51

by Michal Schmidt

[permalink] [raw]
Subject: [OT] Linux washing powder (was: Re: Coverity Open Source Defect Scan of Linux)

Gene Heskett wrote:
> If there is indeed a linux washing powder, where might it be obtained?
> I get a bad case of contact dermatitus when I use the regular stuff from
> M$.

See http://en.wikipedia.org/wiki/Linux_(washing_powder)

2006-03-06 13:07:29

by Dick Streefland

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

Gene Heskett <[email protected]> wrote:
| If there is indeed a linux washing powder, where might it be obtained?
| I get a bad case of contact dermatitus when I use the regular stuff from
| M$.

http://www.roesch-swiss.ch/index.php?otsi=linux&tyyp_id=19

--
Dick Streefland //// Altium BV
[email protected] (@ @) http://www.altium.com
--------------------------------oOO--(_)--OOo---------------------------

2006-03-06 13:39:20

by Ben Chelf

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux



Bernd Petrovitsch wrote:
> On Mon, 2006-03-06 at 12:03 +0100, Michal Schmidt wrote:
>
>>Bernd Petrovitsch wrote:
>>
>>>>>analysis back to the developers of those projects. Linux is one of the
>>>
>>> ^^^^^
>>> should have been "The Linux kernel"
>>
>>Why? Are you afraid of confusion with Linux the washing powder?
>
>
> No (that's actually the cobfusion I don't fear).

Just to clarify -- I am aware (and have been since it's inception) of
Coverity's previous work on the subject. I was one of the guys at
Stanford who started pushing Linux through the technology years and
years ago :) However, the "new process" piece is the fact that now we
have the infrastructure in place to provide the results of the daily
scans that we are performing of the kernel and other open source
projects back to the developers and core maintainers of those projects.

Sorry about any confusion caused by my terminology with "Linux". I
admit, form email and should have been "Linux kernel"...

-ben

2006-03-06 13:45:56

by Ben Chelf

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

(sorry for not responding to all Qs in the last email)


> Some questions regarding this move:
> - can you migrate the accounts from linuxbugsdb.coverity.com?
>

I will look into this -- I don't see any reason not to.

> - are the comments Linux kernel developers like me did at
> linuxbugsdb.coverity.com migrated to scan.coverity.com or was this
> wasted work?
>

That may be a bit more challenging, but again, I'll look into it. The
goal, of course, was not to waste your (or anyone's) work...

>
> Another thing you could give a small clarification about:
> Your email sounds as if your offer was like a charity offer from
> Coverity, Inc.
>
> OTOH, I remember press rumors of Coverity, Inc getting 297 000 Dollar
> for this from the Department of Homeland Security.
>
> I'm sure you are not silently omitting that you are getting public
> fundings for what you are offering, but an official statement would be
> nice.
>

Snipped from http://scan.coverity.com:

"In collaboration with Stanford University, Coverity is establishing a
new baseline for software quality and security in open source based on
the analysis of over 30 of the most critical and widely used open source
projects in the world. Under a contract with the Department of Homeland
Security, we apply the latest innovation in automated defect detection
to uncover some of the most critical types of bugs found in software.

We are making the results of our automated analysis available to the
maintainers within the open source community. Additional projects will
be added over time. Through this process, our hope is that the benefits
of the open source model are further accelerated with faster and easier
remediation of defects in open source."

I feared my original email was a bit too long as it stood...apologies if
anyone felt misled.

-ben

2006-03-06 15:46:04

by Greg KH

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On Sun, Mar 05, 2006 at 09:35:11PM -0800, Ben Chelf wrote:
> Right now, we're guarding access to the actual defects that we report
> for a couple of reasons: (1) We think that you, as developers of Linux,
> should have the chance to look at the defects we find to patch them
> before random other folks get to see what we found and (2) From a
> support perspective, we want to make sure that we have the appropriate
> time to engage with those who want to use the results to fix the code.

If you feel these are security related, please contact
[email protected] with the information (as is documented in the kernel
documentation). If you do not feel they are security related, but just
normal bugs that don't really cause problems, feel free to just post the
information here on lkml, and cc: the maintainers of the affected areas
of code.

In other words, these should be treated like any other potential bug
report. And I mean "potential", as your tool has had false positives in
the past :)

thanks,

greg k-h

2006-03-06 18:53:18

by Jesper Juhl

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On 3/6/06, Pavel Machek <[email protected]> wrote:
> On Ne 05-03-06 21:35:11, Ben Chelf wrote:
> > Hello Linux Developers,
> >
> > I'm the CTO of Coverity, Inc., a company that does static source code
> > analysis to look for defects in code. You may have heard of us or of our
> > technology from its days at Stanford (the "Stanford Checker"). The
> > reason I'm writing is because we have set up a framework internally to
> > continually scan open source projects and provide the results of our
> > analysis back to the developers of those projects. Linux is one of the
> > 32 projects currently scanned at:
> >
> > http://scan.coverity.com
> >
> > My belief is that we (Coverity) must reach out to the developers of
> > these packages (you) in order to make progress in actually fixing the
> > defects that we happen to find, so this is my first step in that
> > mission. Of course, I think Coverity technology is great, but I want
>
> Could you just open the (kernel) results to the public? Going after
> warnings from compiler (afaics that's roughly what coverity is) is
> ideal janitorial job, and job where many people -- not only core
> developers -- can help.
> Pavel

I agree.

Cleaning some of this stuff up is something that I would be prepared
to work on, but I honestly can't be bothered to have to "register"
with coverity for the privilege of seeing the bug-reports...

Linux is a public project, just make the bug-reports/check results
public somewhere so we can all work on them.

--
Jesper Juhl <[email protected]>
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please http://www.expita.com/nomime.html

2006-03-06 18:33:51

by Pavel Machek

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On Ne 05-03-06 21:35:11, Ben Chelf wrote:
> Hello Linux Developers,
>
> I'm the CTO of Coverity, Inc., a company that does static source code
> analysis to look for defects in code. You may have heard of us or of our
> technology from its days at Stanford (the "Stanford Checker"). The
> reason I'm writing is because we have set up a framework internally to
> continually scan open source projects and provide the results of our
> analysis back to the developers of those projects. Linux is one of the
> 32 projects currently scanned at:
>
> http://scan.coverity.com
>
> My belief is that we (Coverity) must reach out to the developers of
> these packages (you) in order to make progress in actually fixing the
> defects that we happen to find, so this is my first step in that
> mission. Of course, I think Coverity technology is great, but I want

Could you just open the (kernel) results to the public? Going after
warnings from compiler (afaics that's roughly what coverity is) is
ideal janitorial job, and job where many people -- not only core
developers -- can help.
Pavel
--
Web maintainer for suspend.sf.net (http://www.sf.net/projects/suspend) wanted...

2006-03-06 20:13:40

by Gene Heskett

[permalink] [raw]
Subject: Re: [OT] Linux washing powder (was: Re: Coverity Open Source Defect Scan of Linux)

On Monday 06 March 2006 07:38, Michal Schmidt wrote:
>Gene Heskett wrote:
>> If there is indeed a linux washing powder, where might it be
>> obtained? I get a bad case of contact dermatitus when I use the
>> regular stuff from M$.
>
>See http://en.wikipedia.org/wiki/Linux_(washing_powder)

Touche`
:)
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

2006-03-14 12:37:43

by Mauro Carvalho Chehab

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

Ben,

I'm the maintainer of V4L/DVB subsystem of the Linux Kernel
(http://linuxtv.org). I think your took may be usefull to our work.
Would you please give me an access to the tool?

Em Dom, 2006-03-05 ?s 21:35 -0800, Ben Chelf escreveu:
> Hello Linux Developers,
>
> I'm the CTO of Coverity, Inc., a company that does static source code
> analysis to look for defects in code. You may have heard of us or of our
> technology from its days at Stanford (the "Stanford Checker"). The
> reason I'm writing is because we have set up a framework internally to
> continually scan open source projects and provide the results of our
> analysis back to the developers of those projects. Linux is one of the
> 32 projects currently scanned at:
>
> http://scan.coverity.com

Cheers,
Mauro.

2006-03-15 03:41:08

by Lee Revell

[permalink] [raw]
Subject: Re: Coverity Open Source Defect Scan of Linux

On Sun, 2006-03-05 at 21:35 -0800, Ben Chelf wrote:
> Hello Linux Developers,
>
> I'm the CTO of Coverity, Inc., a company that does static source code
> analysis to look for defects in code. You may have heard of us or of our
> technology from its days at Stanford (the "Stanford Checker"). The
> reason I'm writing is because we have set up a framework internally to
> continually scan open source projects and provide the results of our
> analysis back to the developers of those projects. Linux is one of the
> 32 projects currently scanned at:
>
> http://scan.coverity.com

It would be nice to run this against the userspace components of ALSA
too...

http://www.alsa-project.org

Lee