This is the mail archive of the
binutils@sourceware.org
mailing list for the binutils project.
RE: NEWS: mention Coverity bug fixes
On 22 August 2007 17:19, Ian Lance Taylor wrote:
> "Dave Korn" <dave.korn@artimi.com> writes:
>
>> On 22 August 2007 16:51, Ian Lance Taylor wrote:
>>
>>> msnyder@sonic.net writes:
>>>
>>>> + * 37 Coverity issues fixed in bfd, including potential static array
>>>> + overruns, null pointer dereferences and use of malloc buffer after
>>>> + free. Coverity generously runs its static analysis suite on the
>>>> + GNU tools without charge.
>>>
>>> It's nice of Coverity to run these analyses for us, but do we feel OK
>>> about advertising non-free software in a GNU package?
>>>
>>> Ian
>>
>>
>> Are we advertising their software, or are we giving credit to the
>> organisation for the voluntary work they've done for us? I feel basically OK
>> about credit where credit's due.
>>
>> For comparison, IBM and HP are two firms who make lots of proprietary
>> software, yet have acknowledgements of their contributions to the gcc project
>> listed at http://gcc.gnu.org/news.html
>
> Contributions I have no problem with. But the note above is
> effectively advertising the static analysis suite.
>
> How about something more like:
>
> * Thanks to Coverity for reporting 37 different potential problems in
> BFD. These were all fixed.
>
> Ian
It seems a bit grudging. How have other projects approached this?
Mono gave them a paragraph, naming and linking to them and mentioning their
product (but not the product name):
http://www.go-mono.com/archive/1.1.16/
X.org mentioned Coverity and the name of their tool in a security advisory:
http://scan.coverity.com/vuln-Xwindows.html
Samba were happy to name them:
http://lists.samba.org/archive/samba-announce/2006/000094.html
cheers,
DaveK
--
Can't think of a witty .sigline today....