On Saturday, April 10, 2021 12:26:37 PM CEST Bruno Haible wrote: > Hi Ondrej, > > > proposing patch for some of the issues found by coverity scan in tar-1.34 > > Thanks for these reports. > > When we get Coverity reports, we fix the things that are valid complaints > about the code, but we do NOT change the code to reduce the number of > reported issues. That is because
If you have enough time to manually review the same false positives over and over, this might work well for you. Not everybody is in the same situation. > 1) Coverity has a UI where you can mark issues are false issues, even with > a rationale, and such resolutions are even propagated when the same source > file is used in a different project (such as gnulib vs. tar). So you have access to this UI, not everybody does. Some developers prefer terminal-based workflow over web-based UI. In any case, the data you enter through this UI is completely isolated from the open-source software that you maintain. Downstream consumers either have to feed their own instance of the UI manually again, or just use something else without any cooperation with upstream. > 2) About 80% > to 90% of the reported issues are false issues. We would be seriously > contorting the source code if we attempted to change the code to avoid the > reports. If you keep fixing real issues and ignoring false positives, such a situation is kind of expected. Kamil > Bruno
