Perhaps open the JIRA with only a reference/link to the Coverity report, and limit access to only those working on the issues.
Full disclosure, update the JIRA, after fix. -- Davi Ottenheimer Senior Director of Trust EMC Corporation davi.ottenhei...@emc.com | @daviottenheimer | +1-415-271-6259 blog: http://www.flyingpenguin.com/ > -----Original Message----- > From: shaposh...@gmail.com [mailto:shaposh...@gmail.com] On Behalf Of > Roman Shaposhnik > Sent: Monday, August 26, 2013 10:50 AM > To: common-dev@hadoop.apache.org > Subject: Re: Coverity Scan (MAPREDUCE-5032) > > On Mon, Aug 26, 2013 at 10:43 AM, Vinod Kumar Vavilapalli > <vino...@apache.org> wrote: > > > > Can you file a JIRA and attach the report there? That is the best way to > move this forward. > > Last time I was involved in a Coverity scan was when they scanned another > project I'm committer on (FFmpeg). The lesson there was that the value you > get out of browsing on their site https://scan.coverity.com is immeasurably > higher than from any static report that can be attached to a JIRA. > > Also, at least in FFmpeg's case, Coverity identified a few things that > could've > been used as potential exploits so it made perfect sense to have a white-list > of project members who could get access to the initial report instead of going > all public with it to begin with (which would happen if it just gets attached > to > a JIRA in its entirety). > > Just my 2c worth of working with them in the past. > > Thanks, > Roman.
