On Wednesday 16 August 2006 20:07, m h wrote: > Ok, so in the meantime I used 2.0 for a little bit more and (got so > frustrated with silly crashes that I) pulled out valgrind. Amazingly > there were cases where it didn't crash when running under valgrind, > that would immediatley crash otherwise. > > So I'm volunteering myself to work with these scanning companies if > they accept (in fact I've already sent them proposals). I'm haven't > done C++ in years (mostly using python and java), but I think this > will be a worthwhile way to improve the stability of cinelerra. > > What I need from the core maintainers is help and advice. I already > recieved a response from klockwork. They want to know if I'm a > maintainer, since I'm not, but am willing to shoulder these tasks, > I'll need some sponsership from a maintainer. Also will need advice > regarding what to scan, etc (ie, I think we should scan a pre 2.1 > merge, because the stability of the merged version could still be in > question....).
Matt, thanks for taking the initiative. There's a problem with this automatic tests: They are geared to find security flaws. But, frankly, security is of little concern for Cinelerra. As Andraž has pointed out, there will be a lot of uninteresting bugs (like arrays of BC_TEXTLEN being filled with user input). I don't feel like fixing them because it's unlikely that they will flow upstream. The most interesting cases are missing or incorrect locking. _If_ the testing can find such bugs, and _if_ it can ignore (*) the forest of uninteresting flaws, it will be worth every penny and you have my support. (*) i.e. there is some means to filter them easily from the reports; plus klocwork will not feel abused because we don't fix these bugs. -- Hannes > > Anyway I need to respond to the klockwork guys. So are maintainers > willing to work with me and accept patches based on scanning tools? > > thanks > > -matt > > ps. Here's the klockwork response. > > Hi Matt, > Yes, we can build your code and analyze it for defects and security > vulnerabilities. The offer we have for open source communities is that > we will analyze your code on a periodic basis as long as Cinelerra is > getting value from the results. The only thing we ask in return is > that if any reported bugs make it into your fix process, you provide > credit to Klocwork. We hope you see that as a fair deal!! > Are you a core maintainer? We want to ensure that core maintainers are > involved in any analysis since, as you can imagine, there's thousands > of contributors to open source and we wouldn't have the resources to > respond to all their individual requests. > I look forward to hearing from you. > > Cheers, > > Adam Harrison > [EMAIL PROTECTED] > > _______________________________________________ > Cinelerra mailing list > [email protected] > https://init.linpro.no/mailman/skolelinux.no/listinfo/cinelerra _______________________________________________ Cinelerra mailing list [email protected] https://init.linpro.no/mailman/skolelinux.no/listinfo/cinelerra
