Hi
On Tue, Dec 17, 2013 at 4:34 PM, Tomas Hozza wrote: > Publishing scan results for all Fedora packages might not be very good > idea, > since the static analysis can find issues with possible security impact. > Sure and if someone wants to understand that security impact inorder to exploit they can always use coverity right now to find it out but if this is really a concern, one could easily gate access to the reports using FAS. > Also Coverity offers their tool to open-source projects for free [1]. I > think > some projects are already using it (at least Squid). So if upstream > projects > are interested, they can sign up for free. > That is true but it is clear that majority of projects are not doing that and as a distributor of thousands of projects, I think Fedora can be provide a good value for upstream and itself by doing in a central place proactively. Red Hat is already doing it for some packages. Just need to find a way to increase that coverage and provide the reports in a way accessible to volunteer Fedora package maintainers. Rahul
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
