[FFmpeg-devel] [WIP] False positives on Coverity
Vittorio Giovara
vittorio.giovara at gmail.com
Mon Jun 10 15:37:06 EEST 2024
On Mon, Jun 10, 2024 at 12:04 AM Michael Niedermayer <michael at niedermayer.cc>
wrote:
> On Sun, Jun 09, 2024 at 03:10:09PM +0200, Vittorio Giovara wrote:
> > On Sun, Jun 9, 2024 at 12:50 AM Timo Rothenpieler <timo at rothenpieler.org
> >
> > wrote:
> >
> > > On 08.06.2024 21:49, Vittorio Giovara wrote:
> > > > On Sat, Jun 8, 2024 at 6:02 PM Michael Niedermayer <
> > > michael at niedermayer.cc>
> > > > wrote:
> > > >
> > > >> On Tue, May 14, 2024 at 01:38:16AM +0200, Michael Niedermayer wrote:
> > > >>> Hi all
> > > >>>
> > > >>> To keep people updated (and as this is not vissible on the ML)
> > > >>> heres my current list of issues marked as false positives /
> intentional
> > > >> in Mai & April 2024
> > > >>> (in case anyone wants to review, i presume noone wants but just in
> > > case)
> > > >>
> > > >> updated list as of today:
> > > >> [...]
> > > >>
> > >
> > > Given the insane amount of them, I'm not a fan of that.
> > > It produces more false positives than anything else.
> > > It also has its own internal tracker for them, so flooding any kind of
> > > other issue tracker with it seems just like point spam to me.
> > >
> >
> > Not everyone has access to it. Also I'd rather have a trackable system
> than
> > a mail with a list of issues.
>
> every FFmpeg developer or maintainer who wants to work on these issues
> can get access.
>
and
> And last but not least coverity isnt intended to be public because it can
find security issues.
are contradictory.
In either case, my point is that email is not a good system for these
reports, because they cannot be tracked nor analyzed, and if they do pose a
security risk they shouldn't be advertised so openly. Having a small bounty
with STM funds would probably be a more efficient way at fixing them than
asking people to take a look at them on the ML.
--
Vittorio
More information about the ffmpeg-devel
mailing list