On Mon, 2006-03-06 at 14:26 -0500, Tim Peters wrote:

[Ben Chelf ben@coverity.com]

...

... I'd ask that if you are interested in really digging into the results a bit further for your project, please have a couple of core maintainers (or group nominated individuals) reach out to me to request access.

Didn't we set up a "security swat team" some time ago? If not, we should. Regardless, since I have more free time these days, I'd like to be on it.

Yep, it's called security@python.org (with a semi-secret backing mailing list, which I'd be happy for you to join
!). I definitely think that group of folks at the least should review the results.

-Barry

On 3/6/06, Thomas Wouters thomas@python.org wrote:

On 3/6/06, Barry Warsaw barry@python.org wrote:

...

...

Didn't we set up a "security swat team" some time ago? If not, we should. Regardless, since I have more free time these days, I'd like to be on it.

Yep, it's called security@python.org (with a semi-secret backing mailing list, which I'd be happy for you to join
!). I definitely think that group of folks at the least should review the results.

Well, if we start volunteering here, I'll volunteer as well. (For either group.) Can't let Tim have all the fun!

I also sent mail to Ben volunteering. I expect the scope of defects recognized is larger than just security. In particular, the compiler has a large body of code that has never been released before. It would nice to catch a few of its bugs before a release :-).

Jeremy

On Mon, 6 Mar 2006, Barry Warsaw wrote:

On Mon, 2006-03-06 at 14:26 -0500, Tim Peters wrote:

...

[Ben Chelf ben@coverity.com]

...

... I'd ask that if you are interested in really digging into the results a bit further for your project, please have a couple of core maintainers (or group nominated individuals) reach out to me to request access.

Didn't we set up a "security swat team" some time ago? If not, we should. Regardless, since I have more free time these days, I'd like to be on it.

Yep, it's called security@python.org (with a semi-secret backing mailing list, which I'd be happy for you to join
!). I definitely think that group of folks at the least should review the results.

-Barry

From their open source chart:

OpenVPN 7 69,842 0.100 Sign in Register Perl 89 479,780 0.186 Sign in Register PHP 207 431,251 0.480 Sign in Register PostgreSQL 297 815,700 0.364 Sign in Register ProFTPD 26 89,650 0.290 Sign in Register Python 59 259,896 0.227 Sign in Register Samba 215 312,482 0.688 Sign in Register

This is interesting stuff. See http://metacomp.stanford.edu for some background.

The Coverty marketing droids need to be a bit less anal about getting people to register at the website. IMHO, the technology should be described openly and allowed to speak for itself. On the other hand, the policy of not disclosing discovered bugs until someone has had a chance to evaluate their significance and fix them is probably a good one.

I'd also encourage Coventry to explain their business model a bit more clearly. Coventry seems to be supportive of open source projects. Coverty also seems to be targeting big companies as customers. It's not clear how arbitrary open source projects (and small companies and individuals) will be able to take advantage of Coventry's products and services.

From Ben's email:

... if you are interested in really digging into the results a bit further for your project, please have a couple of core maintainers (or group nominated individuals) reach out to me to request access. As this is a new process for us and still involves a small number of packages, I want to make sure that I personally can be involved with the activity that is generated from this effort.

So I'm basically asking for people who want to play around with some cool new technology to help make source code better. If this interests you, please feel free to reach out to me directly. And of course, if there are other packages you care about that aren't currently on the list, I want to know about those too.

This looks to me to be something worth doing. I wish I had the time to be one of the designated folks, but, sadly, I don't.

On 3/7/06, Ben Chelf ben@coverity.com wrote:

Putting on my idealistic hat and remembering back my grad school days, I think we're on to something very new in the world of source code analysis. I really just want every developer to use source code analysis while they write code (remember, idealistic :)). We got a lot of the good publicity in the research lab because there existed this big open source OS that we could test our theories on. So from that angle, I think it makes sense for Coverity to have a strong relationship with the open source community since that community has been helping us pretty much since day 1. This project is just the next step in that...it's certainly not the last.

There's plenty more to do to target every developer.

Well, as long as we're talking idealistically, I wonder how easy it would be to add reference-counting tracking to Coverity Prevent. Python, Perl and (I believe) PHP all have their own kind of refcounting, but the base semantics are pretty much the same: a function can return a new or a borrowed reference, and it can borrow or steal references passed to it. Without having seen how Prevent works, it feels to me like it would be a small addition to keep track of these application-specific details. Or, perhaps more generic, add a few markers to keep track of them; in Python, you'd only have to mark Py_INCREF and Py_DECREF, and possibly manual fidgeting with an objects' refcount (which is hopefully extremely rare.)

I say 'idealistically', though, because I don't know how much business sense it makes to cater to refcounting mechanisms.

-- Thomas Wouters thomas@python.org

Hi! I'm a .signature virus! copy me into your .signature file to help me spread!