Ben Laurie blathering

Department of Homeland Security Funds Open Source Security

I was asked to comment on DHS’ funding of Coverity (who make a not bad, as they go, static code analyser), Stanford (where Coverity’s founder is a professor, so no surprises there) and Symantec (why?) to apply Coverity to various open source projects.

Of course, the article stresses the negative points I made, omitting the fact that, despite its shortcomings, I welcome the move. I just think it could be done better.

In particular, the right way to use static analysis tools is routinely, as part of the build process, every time a developer changes a single line of code. Waiting until the poor guy thinks he’s finished and saying “hah, but we found these hundred issues with your last 3 months of work” is not efficient.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress