On 26.02.2011 15:05, Glenn Adams wrote:
Establishing a zero-FindBugs policy at build level: absolutely not.
So you offer no rationale or reason for such an opinion? Or your only reason
for this is that FindBugs is not perfect? Or because you find it too
troublesome to type "ant findbugs" and look at the results?
From my point of view, it's a matter of diminishing returns.
The basic checkstyle rule set does a lot for improving
maintainability, and complaints are easily fixed.
While findbugs (as well as more sophisticated checkstyle rule
sets) uncovers additional problems, it also produces quite a
few false positives. This causes some significant effort spent
on deciding whether a findbugs complaint is really a bug which
must be fixed, diverting our scarce resources from possibly more
pressing problems, like implementing features many users are
already waiting for years.
Last time I checked, findbugs had around 50% false positives for
my code base, and it had missed *all* important bugs which had
burnt me in the months before. This numbers would not be good
enough to install findbugs usage as a policy. And there were cases
where fixing a findbugs complaint got tricky, meaning pushing out
a feature would be delayed for *all* users because someone,
somewhere *might* see a malfunction.
I haven't looked at your patch which fixed all the findbugs issues
in FOP. Do you have the numbers of false positives and some
estimates about the impact the real bugs would have had? If the
numbers prove that findbugs systematically adds value, it might
be worth changing policy.
For some more info, and some good laugh, you might want to read
the following article:
http://cacm.acm.org/magazines/2010/2/69354-a-few-billion-lines-of-code-later/fulltext
Regards
J.Pietschmann
