[cairo] Cairo is at Coverity Rung 0

Mon Jul 30 09:51:42 PDT 2007

On Thu, 26 Jul 2007 18:10:56 -0700, Ian Osgood wrote:
> Hey, did folks know that Coverity has done a scan of cairo, and is
> waiting to be contacted by the maintainer (cworth, I presume) to
> obtain the results?

I was contacted by the Coverity folks some time ago about their scan
of the cairo source code. They offered me an extremely onerous
contract (or similar) before I could get access to any data. My
understanding of the terms, (with clarifications from Coverity), were
that I'd effectively be under a non-compete agreement with Coverity,
(with no expiration that I could see), that would include never
working to improve free software tools that might be perceived as
competing with Coverity. The sparse tool was given as a specific
instance of software that belongs in this class.

I refuse to enter an agreement like that, (why would I ever want to
preclude my own involvement in an entire class of free software
projects?). And I also didn't invite anyone else to enter the
agreement, since I wouldn't wish that on anybody, (signing away the
right to work on free software in the future is a rather grim
proposition).

If the terms have improved, then perhaps someone could get
involved.

In the meantime, I know that cairo has benefitted from some people, (I
don't know who, exactly), that have been feeding Coverity reports from
the scan of mozilla, (which includes cairo), into cairo's
bugzilla. Perhaps those people have already crossed the contractual
bridge could also feed us reports directly from the scan of
cairo. (The coverity folks explained to me that generating public bug
reports from coverity data is fine, and doesn't create the need for
any contract for people to read the bug reports. Somehow it's only the
"direct" view of the coverity data that threatens to give away their
secrets that they feel so compelled to control. That doesn't make much
sense to me, but whatever.)

In the meantime, there are a lot of static-analysis things that I'd
love to see happening for cairo that I know that Coverity doesn't do,
and that I know would be quite easy to add to a tool like sparse. For
example, I'd like a tool that told us whenever we mixed fixed-point
with non-fixed-point integer arithmetic, or whenever we mixed values
from two different coordinate systems in the same arithmetic
expression.

If anybody would like to help improve sparse, (or just teach us how to
start using it), to do those kinds of things, that would be great!
But do be careful about what agreements you make first.

-Carl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.cairographics.org/archives/cairo/attachments/20070730/e737587e/attachment.pgp 