Fwd: Coverity Scan

Fwd: Coverity Scan

[Jan Nijtmans]

2014-04-25 10:35 GMT+02:00 Corinna Vinschen:
> Yeah, I'm n ot exactly looking forward to it since I'm very familiar
> with CVS or SVN, but have nothing but trouble with git.  But since
> everybody else is so very happy with git, I guess I'll have to adapt.
> Teeth-gnashingly.

There are other alternatives than SVN and Git, you could try
Fossil: <http://www.fossil-scm.org/>

Jari Aalto made fossil version 1.28 available recently as
Cygwin/Cygwin64 package, which works fine. (Previous
builds had issues due to SQLite build problems, but those
are all fixed in this build). Highly recommended,
especially if you hate GIT (you are not the only one, really!),
I am using it extensively.

Regards,
        Jan Nijtmans

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Coverity Scan

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1008 bytes --]

On Apr 25 11:10, Jan Nijtmans wrote:
> 2014-04-25 10:35 GMT+02:00 Corinna Vinschen:
> > Yeah, I'm n ot exactly looking forward to it since I'm very familiar
> > with CVS or SVN, but have nothing but trouble with git.  But since
> > everybody else is so very happy with git, I guess I'll have to adapt.
> > Teeth-gnashingly.
> 
> There are other alternatives than SVN and Git, you could try
> Fossil: <http://www.fossil-scm.org/>
> 
> Jari Aalto made fossil version 1.28 available recently as
> Cygwin/Cygwin64 package, which works fine. (Previous
> builds had issues due to SQLite build problems, but those
> are all fixed in this build). Highly recommended,
> especially if you hate GIT (you are not the only one, really!),
> I am using it extensively.

Looks nice, but I'm not so sure there should run YA sccs on sourceware.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Coverity Scan

[Christopher Faylor]

On Fri, Apr 25, 2014 at 02:17:19PM +0200, Corinna Vinschen wrote:
>On Apr 25 11:10, Jan Nijtmans wrote:
>> 2014-04-25 10:35 GMT+02:00 Corinna Vinschen:
>> > Yeah, I'm n ot exactly looking forward to it since I'm very familiar
>> > with CVS or SVN, but have nothing but trouble with git.  But since
>> > everybody else is so very happy with git, I guess I'll have to adapt.
>> > Teeth-gnashingly.
>> 
>> There are other alternatives than SVN and Git, you could try
>> Fossil: <http://www.fossil-scm.org/>
>> 
>> Jari Aalto made fossil version 1.28 available recently as
>> Cygwin/Cygwin64 package, which works fine. (Previous
>> builds had issues due to SQLite build problems, but those
>> are all fixed in this build). Highly recommended,
>> especially if you hate GIT (you are not the only one, really!),
>> I am using it extensively.
>
>Looks nice, but I'm not so sure there should run YA sccs on sourceware.

Right.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Coverity Scan

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 3440 bytes --]

On May 17 21:58, David Stacey wrote:
> On 17/05/14 11:12, Corinna Vinschen wrote:
> >On May 16 21:00, David Stacey wrote:
> >>OK - we're in! You can find our project page at
> >>https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails
> >>to Corinna and CGF inviting them to join the project ;-)
> >I got no such mail.  You didn't try the account I'm using for the
> >mailing list, I hope?  Please use my company address vinschen AT
> >redhat DOT com.
> 
> Apologies - another invitation sent to the correct e-mail address. Further
> apologies if I should have known your correct e-mail address already!
> 
> >I have no idea how this works. I had hoped I'd just get emails with the
> >scan results, the less fancy the solution, the better. We can set this up
> >using gpg encrypted mails, that would be the most elegant solution, IMHO.
> 
> I could probably get Coverity Scan to ping you an e-mail if a new defect is
> introduced. It's probably best if you look at the web page above. Once you
> accept the invitation and log in, you'll see a button to view the defects.
> For each defect, you'll see the defect itself, along with the path that the
> analysis engine took to get there.
> [...]
> >Well, the problem is that we're going to switch to git pretty soon, and
> >that will slightly change the directory layout.  But basically, in the
> >winsup dir, you see the subdirs
> >
> >   cygserver
> >   cygwin
> >   doc
> >   lsaauth
> >   testsuite
> >   utils
> >
> >Of those you can ignore
> >
> >   doc
> >   testsuite
> >
> >The other four would be natural groups, I think.  The toplevel and
> >winsup dirs don't need to be scanned either.
> 
> I've set up components for cygserver, cygwin, utils and newlib. There were
> no defects found in 'lsaauth' (which needs investigation in itself - I'll
> look at this).

A single source file.  Not much code.  There is at least *some*
non-0 probability that the code might be correct... I hope.

> If our directory structure is going to change when we move to
> git then that is OK - I'll remap the components at the point we move.
> However, be aware that reorganising things can confuse Coverity - if you
> sign off any warnings as 'won't fix' then they may reappear if the offending
> code is moved into a different class or file.

That's to be expected.

> >You are aware that we need a copyright assignment from you if you'd like
> >to provide patches, right? Please have a look at the "Before you get
> >started" section of http://cygwin.com/contrib.html
> 
> I'll limit my patches to the trivial kind that are ten lines or less. My
> present employer is amazingly supportive of the open source work that I do
> in my own time, and that boat doesn't need rocking.

Nevertheless, I'd be glad if you try.  This project is in desperate need
of developers getting their hands dirty.

> >In theory, at the time of writing this, I'd suggest to include only cgf,
> >yaakov, and me.
> 
> I've sent an invitation to Yaakov also.

Thanks!  For the time being I already marked a single reported problem
as false positive.  I look into more at some later point.  I'll first
try to get a 1.7.29-3 with a few bugfixes out of the door.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Coverity Scan

[David Stacey]

On 17/05/14 11:12, Corinna Vinschen wrote:
> On May 16 21:00, David Stacey wrote:
>> OK - we're in! You can find our project page at 
>> https://scan.coverity.com/projects/2250. Off the list, I've sent 
>> e-mails to Corinna and CGF inviting them to join the project ;-) 
> I got no such mail.  You didn't try the account I'm using for the
> mailing list, I hope?  Please use my company address vinschen AT
> redhat DOT com.

Apologies - another invitation sent to the correct e-mail address. 
Further apologies if I should have known your correct e-mail address 
already!

> I have no idea how this works. I had hoped I'd just get emails with 
> the scan results, the less fancy the solution, the better. We can set 
> this up using gpg encrypted mails, that would be the most elegant 
> solution, IMHO. 

I could probably get Coverity Scan to ping you an e-mail if a new defect 
is introduced. It's probably best if you look at the web page above. 
Once you accept the invitation and log in, you'll see a button to view 
the defects. For each defect, you'll see the defect itself, along with 
the path that the analysis engine took to get there.

For example, consider the case of reading an uninitialised variable. The 
trace would start at the point the variable is declared. You would see 
the path taken through the code (e.g. taking the 'true' path of an 'if' 
statement, or not executing a 'while' loop because the condition was 
never satisfied) until you arrive at a line where the variable is read 
without ever having been initialised. This is more useful than simply 
complaining about reading an uninitialised variable: often these can be 
logic errors, i.e. the coder didn't consider a certain scenario, or 
thought that all paths through the code would initialise the variable at 
some point. As Coverity shows you the path through the code (even 
between functions), you see the hole in the logic.

>> There is still a little work to do in setting up the Coverity scan. The next
>> step is to group the code into logical clusters, which Coverity calls
>> Components. Typically, this is done on directories or other file groupings,
>> and the tool allows you to concentrate on just one of these components at
>> once. If you let me know what components you'd like, I'll set them up.
> Well, the problem is that we're going to switch to git pretty soon, and
> that will slightly change the directory layout.  But basically, in the
> winsup dir, you see the subdirs
>
>    cygserver
>    cygwin
>    doc
>    lsaauth
>    testsuite
>    utils
>
> Of those you can ignore
>
>    doc
>    testsuite
>
> The other four would be natural groups, I think.  The toplevel and
> winsup dirs don't need to be scanned either.

I've set up components for cygserver, cygwin, utils and newlib. There 
were no defects found in 'lsaauth' (which needs investigation in itself 
- I'll look at this). If our directory structure is going to change when 
we move to git then that is OK - I'll remap the components at the point 
we move. However, be aware that reorganising things can confuse Coverity 
- if you sign off any warnings as 'won't fix' then they may reappear if 
the offending code is moved into a different class or file.

> You are aware that we need a copyright assignment from you if you'd 
> like to provide patches, right? Please have a look at the "Before you 
> get started" section of http://cygwin.com/contrib.html

I'll limit my patches to the trivial kind that are ten lines or less. My 
present employer is amazingly supportive of the open source work that I 
do in my own time, and that boat doesn't need rocking.

> In theory, at the time of writing this, I'd suggest to include only cgf,
> yaakov, and me.

I've sent an invitation to Yaakov also.

Cheers,

Dave.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Coverity Scan

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 483 bytes --]

On May 16 16:03, Jeffrey Altman wrote:
> On 5/16/2014 4:00 PM, David Stacey wrote:
> > OK - we're in! You can find our project page at
> > https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails
> > to Corinna and CGF inviting them to join the project ;-)
> 
> gold star?

Sure.  Thanks David!


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Coverity Scan

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 3994 bytes --]

Hi David,

On May 16 21:00, David Stacey wrote:
> On 25/04/14 16:53, Christopher Faylor wrote:
> >On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote:
> >>On Apr 25 06:33, David Stacey wrote:
> >>>  Coverity Scan [1] is a commercial (paid for) static analysis tool, but
> >>>  they offer it to Open Source programmes for free. I was having a browse
> >>>  through the list of Open Source programmes using Coverity Scan, and
> >>>  noticed that Cygwin wasn't listed. Would there be any interest in
> >>>  analysing the cygwin1.dll source code on a fairly regular basis? If so,
> >>>  I would be happy to have a go at setting up an analysis job for Cygwin.
> >>>  I would imagine this would be of interest to CGF, Corinna and anyone
> >>>  else who regularly updates the Cygwin source code. Obviously, this is
> >>>  only worth doing if the analysis results are looked at and acted upon.
> >>Depends.  If the report contains lots of false positives, it's getting
> >>annoying pretty quickly.
> >We use coverity at work.  It is annoying and it does have false positive
> >but a lot of what look like false positives often turn out to be:  "Oh,
> >wait.  (#*(&$  Yeah.  That's a problem."
> >
> >If we could use coverity I'm sure it would be interesting if we can get
> >it.
> 
> OK - we're in! You can find our project page at
> https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails to
> Corinna and CGF inviting them to join the project ;-)

I got no such mail.  You didn't try the account I'm using for the
mailing list, I hope?  Please use my company address vinschen AT
redhat DOT com.

> It would be responsible of us to restrict access to known vulnerabilities,
> so please _don't_ ask for visibility of the scan results. I will leave it to
> CGF and Corinna to decide who we give access to and when.

I have no idea how this works.  I had hoped I'd just get emails with
the scan results, the less fancy the solution, the better.  We can
set this up using gpg encrypted mails, that would be the most elegant
solution, IMHO.

> There is still a little work to do in setting up the Coverity scan. The next
> step is to group the code into logical clusters, which Coverity calls
> Components. Typically, this is done on directories or other file groupings,
> and the tool allows you to concentrate on just one of these components at
> once. If you let me know what components you'd like, I'll set them up.

Well, the problem is that we're going to switch to git pretty soon, and
that will slightly change the directory layout.  But basically, in the
winsup dir, you see the subdirs

  cygserver
  cygwin
  doc
  lsaauth
  testsuite
  utils

Of those you can ignore 

  doc
  testsuite

The other four would be natural groups, I think.  The toplevel and
winsup dirs don't need to be scanned either.

> The Coverity build is being performed on one of my PCs at the moment. I'll
> try to do this at least weekly using a snapshot from the snapshots page.
> I'll also try to submit patches as and when time allows.

You are aware that we need a copyright assignment from you if you'd like
to provide patches, right?  Please have a look at the "Before you get
started" section of http://cygwin.com/contrib.html

> But if this is
> going to work then anyone who regularly contributes to the Cygwin source
> code will have to make use of the tool.

In theory, at the time of writing this, I'd suggest to include only cgf,
yaakov, and me.  Other people could join us on request, if they provide
patches to the Cygwin code base, or provided non-trivial patches in the
past.

> Finally, I'd like to thank Dakshesh Vyas at Coverity for allowing us to join
> the Scan programme.

Yes, that's nice.  I'm thanking him as well.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Coverity Scan

[Jeffrey Altman]

[-- Attachment #1: Type: text/plain, Size: 248 bytes --]

On 5/16/2014 4:00 PM, David Stacey wrote:
> OK - we're in! You can find our project page at
> https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails
> to Corinna and CGF inviting them to join the project ;-)

gold star?



[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4529 bytes --]

Re: Coverity Scan

[David Stacey]

On 25/04/14 16:53, Christopher Faylor wrote:
> On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote:
>> On Apr 25 06:33, David Stacey wrote:
>>>   Coverity Scan [1] is a commercial (paid for) static analysis tool, but
>>>   they offer it to Open Source programmes for free. I was having a browse
>>>   through the list of Open Source programmes using Coverity Scan, and
>>>   noticed that Cygwin wasn't listed. Would there be any interest in
>>>   analysing the cygwin1.dll source code on a fairly regular basis? If so,
>>>   I would be happy to have a go at setting up an analysis job for Cygwin.
>>>   
>>>   I would imagine this would be of interest to CGF, Corinna and anyone
>>>   else who regularly updates the Cygwin source code. Obviously, this is
>>>   only worth doing if the analysis results are looked at and acted upon.
>> Depends.  If the report contains lots of false positives, it's getting
>> annoying pretty quickly.
> We use coverity at work.  It is annoying and it does have false positive
> but a lot of what look like false positives often turn out to be:  "Oh,
> wait.  (#*(&$  Yeah.  That's a problem."
>
> If we could use coverity I'm sure it would be interesting if we can get
> it.

OK - we're in! You can find our project page at 
https://scan.coverity.com/projects/2250. Off the list, I've sent e-mails 
to Corinna and CGF inviting them to join the project ;-)

It would be responsible of us to restrict access to known 
vulnerabilities, so please _don't_ ask for visibility of the scan 
results. I will leave it to CGF and Corinna to decide who we give access 
to and when.

There is still a little work to do in setting up the Coverity scan. The 
next step is to group the code into logical clusters, which Coverity 
calls Components. Typically, this is done on directories or other file 
groupings, and the tool allows you to concentrate on just one of these 
components at once. If you let me know what components you'd like, I'll 
set them up.

The Coverity build is being performed on one of my PCs at the moment. 
I'll try to do this at least weekly using a snapshot from the snapshots 
page. I'll also try to submit patches as and when time allows. But if 
this is going to work then anyone who regularly contributes to the 
Cygwin source code will have to make use of the tool.

Finally, I'd like to thank Dakshesh Vyas at Coverity for allowing us to 
join the Scan programme.

Cheers,

Dave.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Coverity Scan

[David Arnstein]

On Fri, Apr 25, 2014 at 11:53:24AM -0400, Christopher Faylor wrote:
> We use coverity at work.  It is annoying and it does have false positive
> but a lot of what look like false positives often turn out to be:  "Oh,
> wait.  (#*(&$  Yeah.  That's a problem."

I use Coverity as well, and I find it to be excellent. The latest version
finds copy and paste errors. In particular, it recently issued two
complaints about such errors. In both cases, Coverity was correct, a
developer really had done copy-and-paste twice, introducing an error
each time.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Coverity Scan

[Christopher Faylor]

On Fri, Apr 25, 2014 at 10:35:00AM +0200, Corinna Vinschen wrote:
>On Apr 25 06:33, David Stacey wrote:
>> Coverity Scan [1] is a commercial (paid for) static analysis tool, but
>> they offer it to Open Source programmes for free. I was having a browse
>> through the list of Open Source programmes using Coverity Scan, and
>> noticed that Cygwin wasn't listed. Would there be any interest in
>> analysing the cygwin1.dll source code on a fairly regular basis? If so,
>> I would be happy to have a go at setting up an analysis job for Cygwin.
>> 
>> I would imagine this would be of interest to CGF, Corinna and anyone
>> else who regularly updates the Cygwin source code. Obviously, this is
>> only worth doing if the analysis results are looked at and acted upon.
>
>Depends.  If the report contains lots of false positives, it's getting
>annoying pretty quickly.

We use coverity at work.  It is annoying and it does have false positive
but a lot of what look like false positives often turn out to be:  "Oh,
wait.  (#*(&$  Yeah.  That's a problem."

If we could use coverity I'm sure it would be interesting if we can get
it.

cgf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Coverity Scan

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1422 bytes --]

On Apr 25 13:19, David Stacey wrote:
> On 25/04/14 09:35, Corinna Vinschen wrote:
> >>  There are some conditions associated with using Coverity Scan [2]. The
> >>  one thing that jumps out is that our relationship with RedHat might be
> >>  a stumbling block. We can but ask - the worst that can happen is that
> >>  they politely decline.
> >They will.  #7 won't fly due to the buyout license clause.
> 
> Would you like me to enquire anyway?

Well, asking never hurts :)

> >>  There have been a few hints on this list about a possible move from CVS
> >>  to git. If such a move were on the cards then that should probably
> >>  happen first - I wouldn't want the nugatory effort of getting this
> >>  working from CVS only to have to change it almost immediately.
> >Yeah, I'm n ot exactly looking forward to it since I'm very familiar
> >with CVS or SVN, but have nothing but trouble with git.  But since
> >everybody else is so very happy with git, I guess I'll have to adapt.
> >Teeth-gnashingly.
> 
> It might help ease your pain knowing that you can use github with a
> svn client (to a limited extent):
> https://help.github.com/articles/support-for-subversion-clients

Neat.  But I fear it's time to get used to the idea.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: Coverity Scan

[David Stacey]

On 25/04/14 09:35, Corinna Vinschen wrote:
>>   There are some conditions associated with using Coverity Scan [2]. The
>>   one thing that jumps out is that our relationship with RedHat might be
>>   a stumbling block. We can but ask - the worst that can happen is that
>>   they politely decline.
> They will.  #7 won't fly due to the buyout license clause.

Would you like me to enquire anyway?

>
>>   There have been a few hints on this list about a possible move from CVS
>>   to git. If such a move were on the cards then that should probably
>>   happen first - I wouldn't want the nugatory effort of getting this
>>   working from CVS only to have to change it almost immediately.
> Yeah, I'm n ot exactly looking forward to it since I'm very familiar
> with CVS or SVN, but have nothing but trouble with git.  But since
> everybody else is so very happy with git, I guess I'll have to adapt.
> Teeth-gnashingly.

It might help ease your pain knowing that you can use github with a svn 
client (to a limited extent):
https://help.github.com/articles/support-for-subversion-clients

Dave.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: Coverity Scan

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1787 bytes --]

On Apr 25 06:33, David Stacey wrote:
> Coverity Scan [1] is a commercial (paid for) static analysis tool, but
> they offer it to Open Source programmes for free. I was having a browse
> through the list of Open Source programmes using Coverity Scan, and
> noticed that Cygwin wasn't listed. Would there be any interest in
> analysing the cygwin1.dll source code on a fairly regular basis? If so,
> I would be happy to have a go at setting up an analysis job for Cygwin.
> 
> I would imagine this would be of interest to CGF, Corinna and anyone
> else who regularly updates the Cygwin source code. Obviously, this is
> only worth doing if the analysis results are looked at and acted upon.

Depends.  If the report contains lots of false positives, it's getting
annoying pretty quickly.

> There are some conditions associated with using Coverity Scan [2]. The
> one thing that jumps out is that our relationship with RedHat might be
> a stumbling block. We can but ask - the worst that can happen is that
> they politely decline.

They will.  #7 won't fly due to the buyout license clause.

> There have been a few hints on this list about a possible move from CVS
> to git. If such a move were on the cards then that should probably
> happen first - I wouldn't want the nugatory effort of getting this
> working from CVS only to have to change it almost immediately.

Yeah, I'm n ot exactly looking forward to it since I'm very familiar
with CVS or SVN, but have nothing but trouble with git.  But since
everybody else is so very happy with git, I guess I'll have to adapt.
Teeth-gnashingly.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Coverity Scan

[David Stacey]

Coverity Scan [1] is a commercial (paid for) static analysis tool, but
they offer it to Open Source programmes for free. I was having a browse
through the list of Open Source programmes using Coverity Scan, and
noticed that Cygwin wasn't listed. Would there be any interest in
analysing the cygwin1.dll source code on a fairly regular basis? If so,
I would be happy to have a go at setting up an analysis job for Cygwin.

I would imagine this would be of interest to CGF, Corinna and anyone
else who regularly updates the Cygwin source code. Obviously, this is
only worth doing if the analysis results are looked at and acted upon.

There are some conditions associated with using Coverity Scan [2]. The
one thing that jumps out is that our relationship with RedHat might be
a stumbling block. We can but ask - the worst that can happen is that
they politely decline.

There have been a few hints on this list about a possible move from CVS
to git. If such a move were on the cards then that should probably
happen first - I wouldn't want the nugatory effort of getting this
working from CVS only to have to change it almost immediately.

Any thoughts?

Dave.

[1] - https://scan.coverity.com/
[2] - https://scan.coverity.com/faq#how-get-project-included-in-scan


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple