Subject: Re: Issue 50 of the NetBSD CVS Digest is out.
To: None <>
From: thilo <>
List: current-users
Date: 04/11/2006 19:21:03
Thor Lancelot Simon wrote:

>On Tue, Apr 11, 2006 at 03:28:34PM +1000, thilo wrote:
>>Till now I had the view that the core developer team would fit their 
>>knwoledge back into the group.
>>I wonder if the NDA signed with coverity is preventing them from 
>>producing a list of bugs, or is this something else.
>I'd appreciate it if you'd stop making up absurd rumors.
David Maxwell stated that you guys had to sign an NDA to "get access". I 
did read that as to get access to the results,
not the tool...
 - fair enough. No more rumor!

>necessary) hundreds or thousands of Coverity reports.  A malicious
>individual scanning through the report (if he had it in detail) trying
>to find _one_ bug to exploit can do that a lot faster than even a few
>dozen developers methodically working through every issue one by one
As far as much as I know about hackers, they do have access to coverity 
and some of their exploits
do results from static source code analysis (not necessarily coverity).
And I would like to quote:
"Ironically, Coverity's war on bugs may benefit hackers, Thornton added.
"A hacker  that's going to use your program to launch another program on 
a machine," Thornton often tells developers, "[doesn't] want your 
program to crash while it's doing that.
"So, most bugs -- hackers don't like them either," he said. "

Which is a statement I agree...

>and fixing each in turn.  Thus I do not believe the unrestricted
>public disclosure of the list to be in anyone's best interest.
-- My opinion is apparent...

>Of course, we in no way keep secret any details of the bugs we fix, and
>you can see (once again, by looking at readily accessible information
>instead of spending your time rumormongering) that we are, in fact,
>methodically working our way through _all_ of the Coverity issues and
>fixing them.
-- People passivly listening on this mailing list would probably happily 
help walking throught those bugs,
they are no enemy to the project ( please don't view that as spam, I 
think we all want to improve the system,
as it has some real advantages over lnx and others. "many eyes" is what 
we (I) want to get a more stable os.
I don't need coverity to find serious bugs, but it helps so that I won't 
waste a lot of time debugging them. And
only where work is being done bugs happen, and this list contains a 
considerable amount of both.)

>In order to get direct access to the Coverity tool so that we can run
>it ourselves and adjust its parameters, an NDA is required; some aspects
>of *how the tool works* are considered proprietary by Coverity, and so
>you have your choice: either let them run it for you, and sign no NDA,
>or sign the NDA and run it yourself.  The NDA in no way restricts our
>ability to fix bugs, as should be obvious because, for example, Coverity
>will happily provide access to the scan reports to any individual
>developer whether that person has signed an NDA or not.
-- Thanks this statement mad a lot sense to me. I did not find anything 
about that on

>If you want lower quality results from Coverity's generous donation,
>by all means continue to spread rumor and innuendo.  It is possible,
-- I guess that coverity uses the open-source for PR is a rumor.

Before I cause more flames on this subject, let me state that I really 
do like NetBSD for a number of reasons,
one is that the sources are very consistent and easy to follow/understand.

I do not want to jepardize the relation-ship we got offered by coverity. 
My main intention was to jump in and suggest fixes to aereas
that I understand. Not more.

One last word, this list should be a pleasant place for all to read -- 
keep it that way!