|
| From: | Paul Eggert |
| Subject: | Re: tar + cpio - covscan issues |
| Date: | Thu, 15 Apr 2021 13:30:14 -0700 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1 |
On 4/15/21 1:07 PM, Kamil Dudka wrote:
People maintaining their own medium-size projects can easily play with this. I am in a different situation when I need to scan 3700 distinct projects and approx. 480 million lines of code with more or less the same manpower ;-)
I can appreciate the amount of work it takes to maintain all that scanning. Still, we have to be careful here not to let the tail wag the dog. The false-alarm rate from Coverity is too high for us to install patches needed only to pacify Coverity. Similarly for GCC with all its warning flags enabled.
we would have to maintain such exclusion lists per project.
My guess is that overall this would be less work, than the work of installing and reliably maintaining patches that pacify all combinations of Coverity and 'gcc -Wall -Wextra -Wetc' flags used by any downstream projects, without breaking or slowing down anything in any project. (But of course messing with exclusion lists would be work that you'd have to do, rather than us. :-)
| [Prev in Thread] | Current Thread | [Next in Thread] |