Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Michael Chermside]

Dennis Allison writes:
 I'd also encourage Coventry to explain their business model a bit more
 clearly.

Ben Chelf writes:
 Of course it's no surprise that I see open
 source projects everywhere -- as part of infrastructure or part of code
 bases that people are developing. So from a Coverity perspective,
 clearly we want to provide source code analysis for the projects that
 our customers care about
   [...]
 I really just want every developer to use source code analysis
 while they write code
   [...]
 We got a lot of the
 good publicity in the research lab because there existed this big open
 source OS that we could test our theories on.
   [...]
 I think it makes sense for Coverity to have a strong relationship with
 the open source community since that community has been helping us
 pretty much since day 1


I work for a business... and we pay full price for the tools that we
use in our work. I am aware of and follow the work that I and my
colleagues do -- when someone has a good idea, I tend to learn from
that and introduce the same idea in future projects. I also am aware
of and follow the work of quite a few open source projects (to
different degrees depending on the project). In fact, I see far more
open source projects than I do other projects. I learn a lot of good
ideas from these projects also, and I use them in my paid work. For
example, it was my experience with open source projects that convinced
me that extensive unit tests that are expected to always pass was a
feasable and useful idea. Many of the ways that open source projects
are managed are also beginning to work their way into my professional
life also. It's just that I see far more open source projects than
others, and frankly the open source projects are almost always better
run, with higher standards.

I doubt I'm the only one... I think open source will be leading the
way in software development standards for some time now. So I think
offering a software development tool FREE to open source projects in
hopes of selling it for money to comercial projects is a WONDERFUL
business model. Good luck!

-- Michael Chermside

(PS: too bad I can't buy stock in Coverity. How come all the GOOD
companies are private? I had to wait around 6 years before I could
buy stock in Google.)

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Scott David Daniels]

Michael Chermside wrote:
 (PS: too bad I can't buy stock in Coverity. How come all the GOOD
 companies are private? I had to wait around 6 years before I could
 buy stock in Google.)

Maybe because the companies whose stock is available early are companies
bent on producing stock profits, rather than a solid value proposition.
Trying to satisfy the profit-lust of angels has redirected more than one
company.

--Scott David Daniels
[EMAIL PROTECTED]

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Ben Chelf]

 The Coverty marketing droids need to be a bit less anal about getting
 people to register at the website.  IMHO, the technology should be

Honestly, I laughed out loud when I read this. ;) So thanks for that.

 
 I'd also encourage Coventry to explain their business model a bit more
 clearly.  Coventry seems to be supportive of open source projects.  
 Coverty also seems to be targeting big companies as customers.  It's not
 clear how arbitrary open source projects (and small companies and
 individuals) will be able to take advantage of Coventry's products and
 services.
 

Here's my take on this -- in the last couple of years, I've personally 
been to hundreds of companies (some big, some small) in an effort to get 
our technology out there. Of course it's no surprise that I see open 
source projects everywhere -- as part of infrastructure or part of code 
bases that people are developing. So from a Coverity perspective, 
clearly we want to provide source code analysis for the projects that 
our customers care about (their own as well as open source).

Putting on my idealistic hat and remembering back my grad school days, I 
think we're on to something very new in the world of source code 
analysis. I really just want every developer to use source code analysis 
while they write code (remember, idealistic :)). We got a lot of the 
good publicity in the research lab because there existed this big open 
source OS that we could test our theories on. So from that angle, I 
think it makes sense for Coverity to have a strong relationship with the 
open source community since that community has been helping us pretty 
much since day 1. This project is just the next step in that...it's 
certainly not the last.

There's plenty more to do to target every developer.

-ben
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Thomas Wouters]

On 3/7/06, Ben Chelf [EMAIL PROTECTED] wrote:
Putting on my idealistic hat and remembering back my grad school days, Ithink we're on to something very new in the world of source codeanalysis. I really just want every developer to use source code analysiswhile they write code (remember, idealistic :)). We got a lot of the
good publicity in the research lab because there existed this big opensource OS that we could test our theories on. So from that angle, Ithink it makes sense for Coverity to have a strong relationship with the
open source community since that community has been helping us prettymuch since day 1. This project is just the next step in that...it'scertainly not the last.There's plenty more to do to target every developer.
Well, as long as we're talking idealistically, I wonder how easy it would be to add reference-counting tracking to Coverity Prevent. Python, Perl and (I believe) PHP all have their own kind of refcounting, but the base semantics are pretty much the same: a function can return a new or a borrowed reference, and it can borrow or steal references passed to it. Without having seen how Prevent works, it feels to me like it would be a small addition to keep track of these application-specific details. Or, perhaps more generic, add a few markers to keep track of them; in Python, you'd only have to mark Py_INCREF and Py_DECREF, and possibly manual fidgeting with an objects' refcount (which is hopefully extremely rare.)
I say 'idealistically', though, because I don't know how much business sense it makes to cater to refcounting mechanisms.-- Thomas Wouters 
[EMAIL PROTECTED]Hi! I'm a .signature virus! copy me into your .signature file to help me spread!
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] Coverity Open Source Defect Scan of Python

[Ben Chelf]

Hello Python Developers,

   I'm the CTO of Coverity, Inc., a company that does static source code 
analysis to look for defects in code. You may have heard of us or of our 
technology from its days at Stanford (the Stanford Checker). The 
reason I'm writing is because we have set up a framework internally to 
continually scan open source projects and provide the results of our 
analysis back to the developers of those projects. Python is one of the 
32 projects currently scanned at:

http://scan.coverity.com

   My belief is that we (Coverity) must reach out to the developers of 
these packages (you) in order to make progress in actually fixing the 
defects that we happen to find, so this is my first step in that 
mission. Of course, I think Coverity technology is great, but I want to 
hear what you think and that's why I worked with folks at Coverity to 
put this infrastructure in place. The process is simple -- it checks out 
your code each night from your repository and scans it so you can always 
see the latest results.

   Right now, we're guarding access to the actual defects that we report 
for a couple of reasons: (1) We think that you, as developers of Python, 
should have the chance to look at the defects we find to patch them 
before random other folks get to see what we found and (2) From a 
support perspective, we want to make sure that we have the appropriate 
time to engage with those who want to use the results to fix the code. 
Because of this second point, I'd ask that if you are interested in 
really digging into the results a bit further for your project, please 
have a couple of core maintainers (or group nominated individuals) reach 
out to me to request access. As this is a new process for us and still 
involves a small number of packages, I want to make sure that I 
personally can be involved with the activity that is generated from this 
effort.

   So I'm basically asking for people who want to play around with some 
cool new technology to help make source code better. If this interests 
you, please feel free to reach out to me directly. And of course, if 
there are other packages you care about that aren't currently on the 
list, I want to know about those too.

   If this is the wrong list, my sincerest apologies and please let me 
know where would be a more appropriate forum for this type of message.

Many thanks for reading this far...

-ben

  Ben Chelf
  Chief Technology Officer
  Coverity, Inc.
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Tim Peters]

[Ben Chelf [EMAIL PROTECTED]]
 ...
 I'd ask that if you are interested in really digging into the results a bit
 further for your project, please have a couple of core maintainers (or
 group nominated individuals) reach out to me to request access.

Didn't we set up a security swat team some time ago?  If not, we
should.  Regardless, since I have more free time these days, I'd like
to be on it.

think-of-it-as-john-kelly-reaching-out-to-andy-spowicz-ly y'rs  - tim
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Barry Warsaw]

On Mon, 2006-03-06 at 14:26 -0500, Tim Peters wrote:
 [Ben Chelf [EMAIL PROTECTED]]
  ...
  I'd ask that if you are interested in really digging into the results a bit
  further for your project, please have a couple of core maintainers (or
  group nominated individuals) reach out to me to request access.
 
 Didn't we set up a security swat team some time ago?  If not, we
 should.  Regardless, since I have more free time these days, I'd like
 to be on it.

Yep, it's called [EMAIL PROTECTED] (with a semi-secret backing mailing
list, which I'd be happy for you to join
!).  I definitely think that
group of folks at the least should review the results.

-Barry



signature.asc
Description: This is a digitally signed message part
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Thomas Wouters]

On 3/6/06, Barry Warsaw [EMAIL PROTECTED] wrote:
 Didn't we set up a security swat team some time ago?If not, we should.Regardless, since I have more free time these days, I'd like to be on it.Yep, it's called 
[EMAIL PROTECTED] (with a semi-secret backing mailinglist, which I'd be happy for you to join
!).I definitely think thatgroup of folks at the least should review the results.Well, if we start volunteering here, I'll volunteer as well. (For either group.) Can't let Tim have all the fun!
-- Thomas Wouters [EMAIL PROTECTED]Hi! I'm a .signature virus! copy me into your .signature file to help me spread!
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Tim Peters]

[Barry]
 Yep, it's called [EMAIL PROTECTED] (with a semi-secret backing mailing
 list, which I'd be happy for you to join
!).

If guessing the right Mailman URL was the semi-secret test, I passed :-)

 I definitely think that group of folks at the least should review the results.

Yup!
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Dennis Allison]

On Mon, 6 Mar 2006, Barry Warsaw wrote:

 On Mon, 2006-03-06 at 14:26 -0500, Tim Peters wrote:
  [Ben Chelf [EMAIL PROTECTED]]
   ...
   I'd ask that if you are interested in really digging into the results a 
   bit
   further for your project, please have a couple of core maintainers (or
   group nominated individuals) reach out to me to request access.
  
  Didn't we set up a security swat team some time ago?  If not, we
  should.  Regardless, since I have more free time these days, I'd like
  to be on it.
 
 Yep, it's called [EMAIL PROTECTED] (with a semi-secret backing mailing
 list, which I'd be happy for you to join
!).  I definitely think that
 group of folks at the least should review the results.
 
 -Barry
 
From their open source chart:

OpenVPN 7   69,842  0.100   Sign in Register
Perl89  479,780 0.186   Sign in Register
PHP 207 431,251 0.480   Sign in Register
PostgreSQL  297 815,700 0.364   Sign in Register
ProFTPD 26  89,650  0.290   Sign in Register
Python  59  259,896 0.227   Sign in Register
Samba   215 312,482 0.688   Sign in Register

This is interesting stuff.  See http://metacomp.stanford.edu for some 
background.  

The Coverty marketing droids need to be a bit less anal about getting
people to register at the website.  IMHO, the technology should be
described openly and allowed to speak for itself. On the other hand, the
policy of not disclosing discovered bugs until someone has had a chance to
evaluate their significance and fix them is probably a good one.

I'd also encourage Coventry to explain their business model a bit more
clearly.  Coventry seems to be supportive of open source projects.  
Coverty also seems to be targeting big companies as customers.  It's not
clear how arbitrary open source projects (and small companies and
individuals) will be able to take advantage of Coventry's products and
services.

From Ben's email:

... if you are interested in 
   really digging into the results a bit further for your project, please 
   have a couple of core maintainers (or group nominated individuals) reach 
   out to me to request access. As this is a new process for us and still 
   involves a small number of packages, I want to make sure that I 
   personally can be involved with the activity that is generated from this 
   effort.
   
  So I'm basically asking for people who want to play around with some 
   cool new technology to help make source code better. If this interests 
   you, please feel free to reach out to me directly. And of course, if 
   there are other packages you care about that aren't currently on the 
   list, I want to know about those too.
   
This looks to me to be something worth doing.  I wish I had the time to be
one of the designated folks, but, sadly, I don't.  



___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Guido van Rossum]

FWIW, coverity has been busy marketing this already:

http://www.pcpro.co.uk/news/84465/key-opensource-code-passes-muster.html

--
--Guido van Rossum (home page: http://www.python.org/~guido/)
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] Coverity Open Source Defect Scan of Python

[Jeremy Hylton]

On 3/6/06, Thomas Wouters [EMAIL PROTECTED] wrote:



 On 3/6/06, Barry Warsaw [EMAIL PROTECTED] wrote:
   Didn't we set up a security swat team some time ago?  If not, we
   should.  Regardless, since I have more free time these days, I'd like
   to be on it.
 
  Yep, it's called [EMAIL PROTECTED] (with a semi-secret backing mailing
  list, which I'd be happy for you to join
!).  I definitely think that
  group of folks at the least should review the results.


 Well, if we start volunteering here, I'll volunteer as well. (For either
 group.) Can't let Tim have all the fun!

I also sent mail to Ben volunteering.  I expect the scope of defects
recognized is larger than just security.  In particular, the compiler
has a large body of code that has never been released before.  It
would nice to catch a few of its bugs before a release :-).

Jeremy
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com