Re: tar + cpio - covscan issues

[Bruno Haible]

Kamil Dudka wrote:
> > Downstream consumers can exclude the gnulib-copied directories using the
> > 'csgrep' program, AFAIU?
> 
> Not so easily.  csgrep can filter the results by path in the source tree.
> The problem with gnulib is that different projects embed it in different 
> directories.  For example, coreutils has it in /lib whereas findutils has
> it in /gl/lib while /lib contains other source files that we do not want
> to exclude.  So we would have to maintain such exclusion lists per project.
> 
> People maintaining their own medium-size projects can easily play with this.  
> I am in a different situation when I need to scan 3700 distinct projects and 
> approx. 480 million lines of code with more or less the same manpower ;-)

These project-specific settings regarding gnulib are stored in a file named
'gnulib-cache.m4' by gnulib-tool.m4. Currently, few packages are storing this
file under version control or packaging it in tarballs. But we could change
this by documenting that it should be included in the tarballs, or by
modifying gnulib-tool slightly.

Are you working with git repository checkouts or with tarballs?

Bruno