Some notes from the Coverity survey
Some notes from the Coverity survey
Posted Mar 9, 2006 13:33 UTC (Thu) by bronson (subscriber, #4806)In reply to: Some notes from the Coverity survey by k8to
Parent article: Some notes from the Coverity survey
It sounds like you were asking Red Hat et al to donate their engineering time to test your closed-source program. And you're surprised that they were not interested??
Posted Mar 9, 2006 16:21 UTC (Thu)
by sepreece (guest, #19270)
[Link] (3 responses)
On the other hand, running the tools does take some time, analyzing the results does take some time, and many of the problems reported by most tools are "possible" problems rather than operational problems. And it's less satisfying than spending the same time writing code for new functionality.
And, of course, we don't know who they offered them to or how hard they tried to get projects' attention, etc.
Posted Mar 10, 2006 1:44 UTC (Fri)
by k8to (guest, #15413)
[Link]
And yes of course using static anlysis tools takes time/energy, which is why we wanted to make them available to open source projects as much as possible, while still remaining saleable tools. They didn't need testing, they already worked and had already been being sold for some time. It was a matter of making them as available as possible. Certainly the 6 engineers who made the product and were continuing to improve it didn't have time to review hundreds of open source projects, but you'd think SuSE, Red Hat, and other organizations would have interest in eliminating security problems in their systems. And if it generated enough interest in the field that the open source world cloned the functionality, I honestly don't think any of us would have minded.
As it turned out the run end shorter than expected, but all we wanted was a few years of income from a few years of work, and that's what we got. Making it all free software might have been nice, but it would have required a much larger investment of cash up front.
It's possible that I'm totally wrong about this, but in my years working for Linux companies, I heard many rumours about it being nearly impossible to get Red Hat's attention, and my experiences match. SuSE I had direct contacts with and called and emailed many appropriate parties, but got no real reply at all. I would say we spent about 4 months periodically attempting to contact various parties before giving up on the idea. Novell central was definitely interested but couldn't comunicate internally within their organization.
Anyway, details details, my takeaway is that you're not going to get a development organization's interest by saying "here is a tool you can use to find bugs". You have to say "here are lots of bugs in your software we already found".
Posted Mar 10, 2006 1:48 UTC (Fri)
by k8to (guest, #15413)
[Link] (1 responses)
Posted Mar 16, 2006 12:31 UTC (Thu)
by jpetso (subscriber, #36230)
[Link]
What in his posting suggested that the purpose of this was to test their tools? I'd guess they were probably interested in getting some good press and some PR attention as a result of making their tools available, but the projects would have gotten some benefit (reduction in latent problems) out of the exercise, too.Some notes from the Coverity survey
Bingo. My company would have loved to do shared press releases with Red Hat or SuSE or whatever saying how the tool helped them and also ran well on their systems and so on. There were even more cross marketing fits than I should go into here that made it a better idea than it sounds for both parties.Some notes from the Coverity survey
Oh, regarding possible vs operational, the sexy part of the tools was a more or less 0 false postiives track record. It was very good about identifying real problems in an obvious way. That's what made it so efficient vs older approaches.Some notes from the Coverity survey
So, what has become of your tool? Some notes from the Coverity survey
I guess when your firm became defunct it was sent into the void without a
thought of open sourcing it now that no money can be made out of it
anymore?