Re: [Geany-Devel] using Coverity to audit the code base
On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling lists@herbesfolles.org wrote: Hey, Le 12/02/2015 22:21, Liviu Andronic a écrit : Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388 Quoting Coverity's Scan User Agreement: You will not publish any findings regarding or resulting from use of the Service or the Software; IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement. More, just for the fun: “Confidential Information” means: […] (d) any results of operation from use of the Software or the Service; Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone. And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself). So… really? Regards, Colomban PS: Of course one will tell me that in practice they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens. I haven't gotten any reply to my request for clarification. But I've also discussed this issue with LyX devels. The opinion there is that it's common sense to simply ignore the overly restrictive aspects of Coverity's User Agreement. It's highly unlikely that they'll come chasing for discussing a bug on the ML, and if they do, this shall be incredibly negative PR for them given all the efforts that they make to attract the open-source community. Given that very big projects use Coverity regularly, like LibreOffice or the Linux Kernel, perhaps it's not worth stressing too much about this. Of course Geany maintainers are free to choose their stance on this issue. And if you're unhappy with the current situation, I could as well try to ask them to remove Geany from their service. Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA. Cheers, Liviu ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel -- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Re: [Geany-Devel] using Coverity to audit the code base
On Sat, Mar 7, 2015 at 10:30 PM, Matthew Brush mbr...@codebrainz.ca wrote: On 15-03-07 12:59 PM, Liviu Andronic wrote: On Thu, Feb 26, 2015 at 7:18 PM, Colomban Wendling lists@herbesfolles.org wrote: Hey, Le 12/02/2015 22:21, Liviu Andronic a écrit : Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388 Quoting Coverity's Scan User Agreement: You will not publish any findings regarding or resulting from use of the Service or the Software; IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. And your report about what it did find in Geany's code is already a violation of that agreement. More, just for the fun: “Confidential Information” means: […] (d) any results of operation from use of the Software or the Service; Without limiting the generality of the foregoing, You agree that You will not post […] the results of the Service […] on any network that is accessible by anyone. And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself). So… really? Regards, Colomban PS: Of course one will tell me that in practice they won't come after us for discussing a fix, but if it really is against the UA I'd rather not try and see what happens. I haven't gotten any reply to my request for clarification. But I've also discussed this issue with LyX devels. The opinion there is that it's common sense to simply ignore the overly restrictive aspects of Coverity's User Agreement. It's highly unlikely that they'll come chasing for discussing a bug on the ML, and if they do, this shall be incredibly negative PR for them given all the efforts that they make to attract the open-source community. Given that very big projects use Coverity regularly, like LibreOffice or the Linux Kernel, perhaps it's not worth stressing too much about this. Of course Geany maintainers are free to choose their stance on this issue. And if you're unhappy with the current situation, I could as well try to ask them to remove Geany from their service. Another way would be, for instance, to set up a dedicated, private ML (e.g. geany-dev-coverity) to which only members with access to Coverity can post/read. This should avoid most of the nagging related to their UA. Hi, It's unclear what advantage Coverity has over just running Clang Static Analyzer and their various sanitizers. Is it just for the web UI or something? People say it's powerful... I guess it's capable of detecting issues other tools don't. It also helps devels quite a bit understand the underlying issue and how to address it. From the other projects that are on Coverity, I hear nice things overall from the devels, namely that it's useful. In other instances, it mainly identifies trivial coding issues (which, hopefully, points to the coding base being robust). Cheers, Liviu Cheers, Matthew Brush ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel -- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Re: [Geany-Devel] using Coverity to audit the code base
Hi Colomban, On Thu, Feb 26, 2015 at 10:55 PM, Colomban Wendling lists@herbesfolles.org wrote: Le 26/02/2015 19:18, Colomban Wendling a écrit : […] Quoting Coverity's Scan User Agreement: You will not publish any findings regarding or resulting from use of the Service or the Software; IANAL, but this looks like we couldn't discuss an issue it found on e.g. this mailing list. OK, someone gave me the argument well but it's just to avoid security vulnerability disclosure, but even if it was true (the UA really isn't specific on this), as the UA is written I don't think we could *ever* talk about *anything* we see there. Not even days after an actual bugs was found, nor ever -- which in addition of being silly disallows discussion on how not to reproduce it in the future. Nice catch. I sent a request for clarification to the Scanner admins. […] And this is the Scan User Agreement, I couldn't even find the Scan Terms of Use (at least not without trying to actually register myself). Hum, I tried to register with my GitHub account just to see if I'd get a link to these mythical Scan Terms of Use during the process, and… I didn't have to accept *anything*, no nothing, like click and boom you're registered. So apparently now I do have an account there -- but I still can't find these Scan Term of Use. I guess you're looking for this: http://www.coverity.com/terms-of-use/ They seem broad enough to cover the Scanner, too. Liviu Colomban ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel -- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Re: [Geany-Devel] using Coverity to audit the code base
On Wed, Feb 18, 2015 at 2:57 PM, Nick Treleaven nick.trelea...@btinternet.com wrote: On 12/02/2015 21:21, Liviu Andronic wrote: Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.) Thanks. Some of this should be useful, but AFAICT some of the serious items seem to occur when certain assertions have failed, e.g. TagManager Assert, which cause a lot of false positives. Coverity has some facilities to deal with false positives. For instance, it is possible to classify an identified issue as false positive or intentional, meaning that Coverity shall ignore it in future code scans. But more usefully we can specify a Modeling File: Static code analysis has some limitations in its ability to understand certain dynamic operations. This limitation may result in falsely detecting defects. Since most false-positive defects are caused by few functions in your code base, Coverity allows you to tell the analysis engine to treat these functions differently. This is called a Modeling File. By providing a modeling file, most projects reduce their false-positive rate to the ballpark of 10%. Maybe we should look into that? Cheers, Liviu ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel -- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
[Geany-Devel] using Coverity to audit the code base
Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388 Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.) To view the defects, you need to connect with your Github account (or create one with Coverity) and request 'Add me to project' (which I shall then approve). Coverity provides overall metrics like defect density (Geany scores an impressive 0.23), but also classifies uncovered bugs by type and severity, and provides a nice UI trying to explain to the devels the specifics of the bug and how to address it (e.g. where it happens, why it's an issue, etc.) This tool is being used by heavyweights like LibreOffice, the Linux Kernel, Firefox or Python to improve the robustness of their code base. I suspect that Coverity could prove invaluable when trying to hunt down frustrating implementation issues causing obscure bugs. In any case the identified bugs are now ready for inspection by the devels, so feel free to drop by! Regards, Liviu -- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Re: [Geany-Devel] using Coverity to audit the code base
On Fri, Feb 13, 2015 at 1:01 PM, Frank Lanitz fr...@frank.uvena.de wrote: Am 2015-02-12 22:21, schrieb Liviu Andronic: Dear all, Recently I've discovered Coverity, a code checking tool, and went ahead and submitted the Geany code for static analysis by this service: https://scan.coverity.com/projects/1388 Coverity has uncovered ~55 implementation defects in the code base, with 25 or so of high severity (memory corruption, resource leaks, etc.) To view the defects, you need to connect with your Github account (or create one with Coverity) and request 'Add me to project' (which I shall then approve). Coverity provides overall metrics like defect density (Geany scores an impressive 0.23), but also classifies uncovered bugs by type and severity, and provides a nice UI trying to explain to the devels the specifics of the bug and how to address it (e.g. where it happens, why it's an issue, etc.) This tool is being used by heavyweights like LibreOffice, the Linux Kernel, Firefox or Python to improve the robustness of their code base. I suspect that Coverity could prove invaluable when trying to hunt down frustrating implementation issues causing obscure bugs. In any case the identified bugs are now ready for inspection by the devels, so feel free to drop by! Any chance to get the info w/o creating an account? Well, not easily. Coverity forces users to sign a user agreement that would prevent you from creating competitor products using what you've learned from how their Scan works, or so I've heard. But more practically, their web-interface allows devels to easily understand the bugs, where they're located, what needs to be fixed, etc. Of course I could send you screenshots privately, say, but I don't think that would be an efficient approach. And since all our devels have github accounts, it's a breeze to sign into Coverity using that account... Regards, Liviu Cheers, Frank ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel -- Do you think you know what math is? http://www.ideasroadshow.com/issues/ian-stewart-2013-08-02 Or what it means to be intelligent? http://www.ideasroadshow.com/issues/john-duncan-2013-08-30 Think again: http://www.ideasroadshow.com/library ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel
Re: [Geany-Devel] Please add an option to customize folding widget size
On Sun, Mar 10, 2013 at 7:34 AM, Jiergir Ogoerg f35f22...@gmail.com wrote: Hi, on bigger screens (1920x1080) the folding widget size of Geany looks too small and you have to aim for it to click it. I'd ask you to add an option to make it bigger. I concur. Even on small netbook screens one has to carefully aim at the folding widget, partially cancelling the benefits of folding code altogether. Regards, Liviu Btw CodeBlocks by default has a bigger folding widget - just the way I like it. The code in question is in sciwrappers.c I recompiled Geany from git and I posted a screenshot with the function that manages the folding widget size at: http://sdfsfsfsdfasdfas.blogspot.com/2013/03/blog-post.html Please add a GUI option in Geany for people to be able to adjust the default folding widget size of 12 to up to like 18 (I use 16). Thanks ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel -- Do you know how to read? http://www.alienetworks.com/srtest.cfm http://goodies.xfce.org/projects/applications/xfce4-dict#speed-reader Do you know how to write? http://garbl.home.comcast.net/~garbl/stylemanual/e.htm#e-mail ___ Devel mailing list Devel@lists.geany.org https://lists.geany.org/cgi-bin/mailman/listinfo/devel