Gennaro Prota wrote:
Marshall Clow wrote:
At 3:02 PM -0500 2/3/09, Michael Fawcett wrote:
Purely out of curiosity, how come Boost isn't at Rung 1 in the Coverity Scan Ladder?
Boost and Boost.Build are both listed in Rung 0, so it appears that the only step left is selecting a Boost/Coverity liaison.
I don't have a problem signing up as a laison and helping people get stuff fixed, but I think that someone with a bit of legal training needs to look at the license that Coverity wants people to agree to before using the scan results. [ It looks pretty harmless to me, but IANAL ]
Well, since you brought up the issue... I'm not a lawyer either, but I'd *not* agree to anything like:
Coverity may, in its sole discretion, modify or revise these terms and conditions and policies at any time, and you agree to be bound by such modifications or revisions.
That's the fourth line of text, and I quitted reading.
That's not great, is it? But if you read on a bit further a more practical problem becomes apparent (if I have understood it correctly): the person who registers with them is allowed to see the analysis but they're not allowed to reveal it to anyone else (e.g. by posting to this list), except indirectly by posting the bug fixes. I can see that that might work for some projects, but for a collection of sub-projects like Boost where no-one has expert understanding of everything, it doesn't seem appropriate. For what it's worth, I do believe that their tool does useful things. For example I guess that it could have found the bug in interprocess::sp_counted_impl.hpp that was reported a few days ago. Phil.