[Python-Dev] Coverity Open Source Defect Scan of Python

Dennis Allison allison at shasta.stanford.edu
Mon Mar 6 21:42:41 CET 2006 

On Mon, 6 Mar 2006, Barry Warsaw wrote:

> On Mon, 2006-03-06 at 14:26 -0500, Tim Peters wrote:
> > [Ben Chelf <ben at coverity.com>]
> > > ...
> > > I'd ask that if you are interested in really digging into the results a bit
> > > further for your project, please have a couple of core maintainers (or
> > > group nominated individuals) reach out to me to request access.
> > 
> > Didn't we set up a "security swat team" some time ago?  If not, we
> > should.  Regardless, since I have more free time these days, I'd like
> > to be on it.
> 
> Yep, it's called security at python.org (with a semi-secret backing mailing
> list, which I'd be happy for you to join!).  I definitely think that
> group of folks at the least should review the results.
> 
> -Barry
> 
>From their open source chart:

OpenVPN		7  	69,842  	0.100  	Sign in  	Register
Perl	 	89 	479,780 	0.186 	Sign in 	Register
PHP 		207 	431,251 	0.480 	Sign in 	Register
PostgreSQL	297 	815,700 	0.364 	Sign in 	Register
ProFTPD 	26 	89,650 		0.290 	Sign in 	Register
Python 		59 	259,896 	0.227 	Sign in 	Register
Samba 		215 	312,482 	0.688 	Sign in 	Register

This is interesting stuff.  See http://metacomp.stanford.edu for some 
background.  

The Coverty marketing droids need to be a bit less anal about getting
people to register at the website.  IMHO, the technology should be
described openly and allowed to speak for itself. On the other hand, the
policy of not disclosing discovered bugs until someone has had a chance to
evaluate their significance and fix them is probably a good one.

I'd also encourage Coventry to explain their business model a bit more
clearly.  Coventry seems to be supportive of open source projects.  
Coverty also seems to be targeting big companies as customers.  It's not
clear how arbitrary open source projects (and small companies and
individuals) will be able to take advantage of Coventry's products and
services.

>From Ben's email:

                                            ... if you are interested in 
   really digging into the results a bit further for your project, please 
   have a couple of core maintainers (or group nominated individuals) reach 
   out to me to request access. As this is a new process for us and still 
   involves a small number of packages, I want to make sure that I 
   personally can be involved with the activity that is generated from this 
   effort.
   
      So I'm basically asking for people who want to play around with some 
   cool new technology to help make source code better. If this interests 
   you, please feel free to reach out to me directly. And of course, if 
   there are other packages you care about that aren't currently on the 
   list, I want to know about those too.
   
This looks to me to be something worth doing.  I wish I had the time to be
one of the designated folks, but, sadly, I don't.

More information about the Python-Dev mailing list