[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tar + cpio - covscan issues

From: Kamil Dudka
Subject: Re: tar + cpio - covscan issues
Date: Sat, 10 Apr 2021 15:34:15 +0200

On Saturday, April 10, 2021 12:26:37 PM CEST Bruno Haible wrote:
> Hi Ondrej,
> > proposing patch for some of the issues found by coverity scan in tar-1.34
> Thanks for these reports.
> When we get Coverity reports, we fix the things that are valid complaints
> about the code, but we do NOT change the code to reduce the number of
> reported issues. That is because

If you have enough time to manually review the same false positives over and 
over, this might work well for you.  Not everybody is in the same situation.

>   1) Coverity has a UI where you can mark issues are false issues, even with
> a rationale, and such resolutions are even propagated when the same source
> file is used in a different project (such as gnulib vs. tar).

So you have access to this UI, not everybody does.  Some developers prefer 
terminal-based workflow over web-based UI.  In any case, the data you enter 
through this UI is completely isolated from the open-source software that
you maintain.  Downstream consumers either have to feed their own instance
of the UI manually again, or just use something else without any cooperation 
with upstream.

> 2) About 80%
> to 90% of the reported issues are false issues. We would be seriously
> contorting the source code if we attempted to change the code to avoid the
> reports.

If you keep fixing real issues and ignoring false positives, such a situation 
is kind of expected.


> Bruno

reply via email to

[Prev in Thread] Current Thread [Next in Thread]