[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tar + cpio - covscan issues

From: Kamil Dudka
Subject: Re: tar + cpio - covscan issues
Date: Sat, 17 Apr 2021 16:21:48 +0200

On Saturday, April 17, 2021 12:01:56 AM CEST Bruno Haible wrote:
> Kamil Dudka wrote:
> > > Downstream consumers can exclude the gnulib-copied directories using the
> > > 'csgrep' program, AFAIU?
> > 
> > Not so easily.  csgrep can filter the results by path in the source tree.
> > The problem with gnulib is that different projects embed it in different
> > directories.  For example, coreutils has it in /lib whereas findutils has
> > it in /gl/lib while /lib contains other source files that we do not want
> > to exclude.  So we would have to maintain such exclusion lists per
> > project.
> > 
> > People maintaining their own medium-size projects can easily play with
> > this. I am in a different situation when I need to scan 3700 distinct
> > projects and approx. 480 million lines of code with more or less the same
> > manpower ;-)
> These project-specific settings regarding gnulib are stored in a file named
> 'gnulib-cache.m4' by gnulib-tool.m4. Currently, few packages are storing
> this file under version control or packaging it in tarballs. But we could
> change this by documenting that it should be included in the tarballs, or
> by modifying gnulib-tool slightly.
> Are you working with git repository checkouts or with tarballs?
> Bruno

The packages that I am scanning now are based on distribution tarballs but 
there is currently some effort to provide git-based workflow optionally for 
Fedora/RHEL packages where maintainers prefer it:


I am not sure how much they take gnulib into account while developing this.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]