[Python-Dev] Coverity Open Source Defect Scan of Python
allison at shasta.stanford.edu
Mon Mar 6 21:42:41 CET 2006
On Mon, 6 Mar 2006, Barry Warsaw wrote:
> On Mon, 2006-03-06 at 14:26 -0500, Tim Peters wrote:
> > [Ben Chelf <ben at coverity.com>]
> > > ...
> > > I'd ask that if you are interested in really digging into the results a bit
> > > further for your project, please have a couple of core maintainers (or
> > > group nominated individuals) reach out to me to request access.
> > Didn't we set up a "security swat team" some time ago? If not, we
> > should. Regardless, since I have more free time these days, I'd like
> > to be on it.
> Yep, it's called security at python.org (with a semi-secret backing mailing
> list, which I'd be happy for you to join!). I definitely think that
> group of folks at the least should review the results.
>From their open source chart:
OpenVPN 7 69,842 0.100 Sign in Register
Perl 89 479,780 0.186 Sign in Register
PHP 207 431,251 0.480 Sign in Register
PostgreSQL 297 815,700 0.364 Sign in Register
ProFTPD 26 89,650 0.290 Sign in Register
Python 59 259,896 0.227 Sign in Register
Samba 215 312,482 0.688 Sign in Register
This is interesting stuff. See http://metacomp.stanford.edu for some
The Coverty marketing droids need to be a bit less anal about getting
people to register at the website. IMHO, the technology should be
described openly and allowed to speak for itself. On the other hand, the
policy of not disclosing discovered bugs until someone has had a chance to
evaluate their significance and fix them is probably a good one.
I'd also encourage Coventry to explain their business model a bit more
clearly. Coventry seems to be supportive of open source projects.
Coverty also seems to be targeting big companies as customers. It's not
clear how arbitrary open source projects (and small companies and
individuals) will be able to take advantage of Coventry's products and
>From Ben's email:
... if you are interested in
really digging into the results a bit further for your project, please
have a couple of core maintainers (or group nominated individuals) reach
out to me to request access. As this is a new process for us and still
involves a small number of packages, I want to make sure that I
personally can be involved with the activity that is generated from this
So I'm basically asking for people who want to play around with some
cool new technology to help make source code better. If this interests
you, please feel free to reach out to me directly. And of course, if
there are other packages you care about that aren't currently on the
list, I want to know about those too.
This looks to me to be something worth doing. I wish I had the time to be
one of the designated folks, but, sadly, I don't.
More information about the Python-Dev