Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: thilo <>
From: Thor Lancelot Simon <>
List: current-users
Date: 04/11/2006 01:45:03
On Tue, Apr 11, 2006 at 03:28:34PM +1000, thilo wrote:
> Till now I had the view that the core developer team would fit their 
> knwoledge back into the group.
> I wonder if the NDA signed with coverity is preventing them from 
> producing a list of bugs, or is this something else.

I'd appreciate it if you'd stop making up absurd rumors.

Coverity provides access to the detailed information on each bug found
by their product to all official developers of each open-source project
they scan.  They do not require that those people sign any non-disclosure
form in order to receive access to the database of bugs.  So you can stop
spreading _that_ rumor right there, okay?

They do not provide access to the list of bugs directly to the public,
for a number of reasons, some of which I know because I've found them
in their public statements (so, you can too, if having accurate information
is more important to you than engaging in paranoid and harmful speculation
and rumor-mongering) and others of which I can only speculate about.

One of the reasons about which I can speculate, but, I think, quite
reasonably, is that it takes a lot of time to evaluate and fix (where
necessary) hundreds or thousands of Coverity reports.  A malicious
individual scanning through the report (if he had it in detail) trying
to find _one_ bug to exploit can do that a lot faster than even a few
dozen developers methodically working through every issue one by one
and fixing each in turn.  Thus I do not believe the unrestricted
public disclosure of the list to be in anyone's best interest.

Of course, we in no way keep secret any details of the bugs we fix, and
you can see (once again, by looking at readily accessible information
instead of spending your time rumormongering) that we are, in fact,
methodically working our way through _all_ of the Coverity issues and
fixing them.

In order to get direct access to the Coverity tool so that we can run
it ourselves and adjust its parameters, an NDA is required; some aspects
of *how the tool works* are considered proprietary by Coverity, and so
you have your choice: either let them run it for you, and sign no NDA,
or sign the NDA and run it yourself.  The NDA in no way restricts our
ability to fix bugs, as should be obvious because, for example, Coverity
will happily provide access to the scan reports to any individual
developer whether that person has signed an NDA or not.

If you want lower quality results from Coverity's generous donation,
by all means continue to spread rumor and innuendo.  It is possible,
though, I think, not likely, that if enough people flame Coverity for
their generous decision to provide us access to the results of their
very expensive product -- for free -- they will eventually decide to
stop letting us use it for free aftger all.