NEWS for 6.7: mention coverity bug fixes

NEWS for 6.7: mention coverity bug fixes

[msnyder]

[-- Attachment #1: Type: text/plain, Size: 36 bytes --]

Can we include this in 6.7 please?


[-- Attachment #2: NEWS.txt --]
[-- Type: text/plain, Size: 792 bytes --]

2007-08-17  Michael Snyder  <msnyder@access-company.com>

	* NEWS: Mention Coverity bug fixes.

Index: NEWS
===================================================================
RCS file: /cvs/src/src/gdb/NEWS,v
retrieving revision 1.235
diff -p -r1.235 NEWS
*** NEWS	17 Jul 2007 12:51:40 -0000	1.235
--- NEWS	17 Aug 2007 19:10:35 -0000
***************
*** 3,8 ****
--- 3,12 ----
  
  *** Changes since GDB 6.6
  
+ * 58 Coverity issues resolved in gdb, 29 in bfd, 1 in libiberty, and
+ 1 in opcodes.  These include such things as resource leaks, null pointer
+ dereference, use after free, and array overruns.
+ 
  * When looking up multiply-defined global symbols, GDB will now prefer the
  symbol definition in the current shared library if it was built using the
  -Bsymbolic linker option.

Re: NEWS for 6.7: mention coverity bug fixes

[Eli Zaretskii]

> Date: Fri, 17 Aug 2007 12:12:43 -0700 (PDT)
> From: msnyder@sonic.net
> 
> Can we include this in 6.7 please?

Yes, but...

> + * 58 Coverity issues resolved in gdb, 29 in bfd, 1 in libiberty, and
> + 1 in opcodes.  These include such things as resource leaks, null pointer
> + dereference, use after free, and array overruns.

Are we sure the reader will know what is Coverity, and what does the
above mean to her/him?

Re: NEWS for 6.7: mention coverity bug fixes

[msnyder]

>> Date: Fri, 17 Aug 2007 12:12:43 -0700 (PDT)
>> From: msnyder@sonic.net
>>
>> Can we include this in 6.7 please?
>
> Yes, but...
>
>> + * 58 Coverity issues resolved in gdb, 29 in bfd, 1 in libiberty, and
>> + 1 in opcodes.  These include such things as resource leaks, null
>> pointer
>> + dereference, use after free, and array overruns.
>
> Are we sure the reader will know what is Coverity, and what does the
> above mean to her/him?

I'm open to suggestions.  We could include their URL, for instance...

Re: NEWS for 6.7: mention coverity bug fixes

[Nick Roberts]

 >   *** Changes since GDB 6.6
 >   
 > + * 58 Coverity issues resolved in gdb, 29 in bfd, 1 in libiberty, and
 > + 1 in opcodes.  These include such things as resource leaks, null pointer
 > + dereference, use after free, and array overruns.
 > + 
 >   * When looking up multiply-defined global symbols, GDB will now prefer the
 >   symbol definition in the current shared library if it was built using the
 >   -Bsymbolic linker option.

I can imagine that Coverity would like recognition when their software is
successfully used to find bugs in free software projects, but I don't think
that NEWS is the right place to do it.  This file details what changes have
been made to GDB, not how they were made or how many were made.  You already
mention Coverity in the ChangeLogs, which seems the right thing to do.  _They_
can then use this as evidence to any claims that they might wish to make about
their software.

-- 
Nick                                           http://www.inet.net.nz/~nickrob

Re: NEWS for 6.7: mention coverity bug fixes

[Michael Snyder]

----- Original Message ----- 
From: "Nick Roberts" <nickrob@snap.net.nz>
To: <msnyder@sonic.net>
Cc: <gdb-patches@sourceware.org>
Sent: Friday, August 17, 2007 6:05 PM
Subject: Re: NEWS for 6.7: mention coverity bug fixes


> >   *** Changes since GDB 6.6
>  >
>  > + * 58 Coverity issues resolved in gdb, 29 in bfd, 1 in libiberty, and
>  > + 1 in opcodes.  These include such things as resource leaks, null
pointer
>  > + dereference, use after free, and array overruns.
>  > +
>  >   * When looking up multiply-defined global symbols, GDB will now
prefer the
>  >   symbol definition in the current shared library if it was built using
the
>  >   -Bsymbolic linker option.
>
> I can imagine that Coverity would like recognition when their software is
> successfully used to find bugs in free software projects, but I don't
think
> that NEWS is the right place to do it.  This file details what changes
have
> been made to GDB, not how they were made or how many were made.  You
already
> mention Coverity in the ChangeLogs, which seems the right thing to do.
_They_
> can then use this as evidence to any claims that they might wish to make
about
> their software.

Actually I stopped mentioning them in the changelogs, when
one of the Binutils maintainers said that they thought it was
inappropriate.

Re: NEWS for 6.7: mention coverity bug fixes

[Eli Zaretskii]

> Date: Fri, 17 Aug 2007 14:03:15 -0700 (PDT)
> From: msnyder@sonic.net
> Cc: msnyder@sonic.net, gdb-patches@sourceware.org
> 
> >> Date: Fri, 17 Aug 2007 12:12:43 -0700 (PDT)
> >> From: msnyder@sonic.net
> >>
> >> Can we include this in 6.7 please?
> >
> > Yes, but...
> >
> >> + * 58 Coverity issues resolved in gdb, 29 in bfd, 1 in libiberty, and
> >> + 1 in opcodes.  These include such things as resource leaks, null
> >> pointer
> >> + dereference, use after free, and array overruns.
> >
> > Are we sure the reader will know what is Coverity, and what does the
> > above mean to her/him?
> 
> I'm open to suggestions.  We could include their URL, for instance...

Yes, and a sentence about what it is.

Or maybe omit the name altogether, and just say that more than 80
issues with resource leaks etc. were resolved.

Re: NEWS for 6.7: mention coverity bug fixes

[Nick Roberts]

 > > I can imagine that Coverity would like recognition when their software is
 > > successfully used to find bugs in free software projects, but I don't
 > > think that NEWS is the right place to do it.  This file details what
 > > changes have been made to GDB, not how they were made or how many were
 > > made.  You already mention Coverity in the ChangeLogs, which seems the
 > > right thing to do.  _They_ can then use this as evidence to any claims
 > > that they might wish to make about their software.
 > 
 > Actually I stopped mentioning them in the changelogs, when
 > one of the Binutils maintainers said that they thought it was
 > inappropriate.

I think I can see this in the archives where he suggests writing what he calls
a NEWS entry but then refers to http://gcc.gnu.org/news.html, for which there
appears to be no GDB equivalent.  I thought the NEWS _file_ was aimed at the
users of GDB.  To that extent the bug fixes made through Coverity are only
relevant here if they provide a noticeable difference, e.g., users were
complaining about crashes and leakages which have been fixed.

I guess if Coverity is proprietary software then the Free Software line may be
that it gets no mention. However, the ChangeLog seems appropriate to me, just
as it is the place where the author gets recognition for his/her contribution.

-- 
Nick                                           http://www.inet.net.nz/~nickrob

Re: NEWS for 6.7: mention coverity bug fixes

[Michael Snyder]

----- Original Message ----- 
From: "Nick Roberts" <nickrob@snap.net.nz>
To: "Michael Snyder" <msnyder@sonic.net>
Cc: <gdb-patches@sourceware.org>
Sent: Saturday, August 18, 2007 1:52 AM
Subject: Re: NEWS for 6.7: mention coverity bug fixes


> > > I can imagine that Coverity would like recognition when their software
is
>  > > successfully used to find bugs in free software projects, but I don't
>  > > think that NEWS is the right place to do it.  This file details what
>  > > changes have been made to GDB, not how they were made or how many
were
>  > > made.  You already mention Coverity in the ChangeLogs, which seems
the
>  > > right thing to do.  _They_ can then use this as evidence to any
claims
>  > > that they might wish to make about their software.
>  >
>  > Actually I stopped mentioning them in the changelogs, when
>  > one of the Binutils maintainers said that they thought it was
>  > inappropriate.
>
> I think I can see this in the archives where he suggests writing what he
calls
> a NEWS entry but then refers to http://gcc.gnu.org/news.html, for which
there
> appears to be no GDB equivalent.  I thought the NEWS _file_ was aimed at
the
> users of GDB.  To that extent the bug fixes made through Coverity are only
> relevant here if they provide a noticeable difference, e.g., users were
> complaining about crashes and leakages which have been fixed.
>
> I guess if Coverity is proprietary software then the Free Software line
may be
> that it gets no mention. However, the ChangeLog seems appropriate to me,
just
> as it is the place where the author gets recognition for his/her
contribution.

That was indeed my first thought.

Would you suggest, then, that I go back and annotate the 60 or so
change log entries I've made that refer to fixing Coverity issues?

Re: NEWS for 6.7: mention coverity bug fixes

[Nick Roberts]

 > > I guess if Coverity is proprietary software then the Free Software line
 > > may be that it gets no mention. However, the ChangeLog seems appropriate
 > > to me, just as it is the place where the author gets recognition for
 > > his/her contribution.
 > 
 > That was indeed my first thought.
 > 
 > Would you suggest, then, that I go back and annotate the 60 or so
 > change log entries I've made that refer to fixing Coverity issues?

It's not really for me to suggest it, but unless a maintainer objects I
don't see why not.

-- 
Nick                                           http://www.inet.net.nz/~nickrob

Re: NEWS for 6.7: mention coverity bug fixes

[Daniel Jacobowitz]

On Mon, Aug 20, 2007 at 10:42:15PM +1200, Nick Roberts wrote:
> It's not really for me to suggest it, but unless a maintainer objects I
> don't see why not.

Personally, I don't really like either solution.  Maybe we should have
a news section on the web site, similar to GCC's.  This might also be
a suitable place for contribution notices ("so and so have contributed
support for blah").

-- 
Daniel Jacobowitz
CodeSourcery

Re: NEWS for 6.7: mention coverity bug fixes

[msnyder]

> I guess if Coverity is proprietary software then the Free Software line
> may be
> that it gets no mention.

That would be biting the hand that feeds us, wouldn't it?

Coverity donated a valuable service to FSF.  We benefitted
directly, thru the fixing of numerous potential crasher and
security risk bugs.  They charge most people for that service,
but they donated it to us for free.  This is not substantially
different from a for-profit employer donating the time of their
employees (such as most of us), and I should think we would
like to encourage it.

There is precident for acknowledging the contributions of
institutions and corporations in the NEWS file:

    Configurations for embedded MIPS now include a simulator
    contributed by Cygnus Solutions.

    Sparc configurations may now include the ERC32 simulator
    contributed by the European Space Agency.

What's wrong with acknowledging what Coverity has contributed?

Re: NEWS for 6.7: mention coverity bug fixes

[msnyder]

>
>> I guess if Coverity is proprietary software then the Free Software line
>> may be
>> that it gets no mention.
>
> That would be biting the hand that feeds us, wouldn't it?
>
> Coverity donated a valuable service to FSF.  We benefitted
> directly, thru the fixing of numerous potential crasher and
> security risk bugs.  They charge most people for that service,
> but they donated it to us for free.  This is not substantially
> different from a for-profit employer donating the time of their
> employees (such as most of us), and I should think we would
> like to encourage it.
>
> There is precident for acknowledging the contributions of
> institutions and corporations in the NEWS file:
>
>     Configurations for embedded MIPS now include a simulator
>     contributed by Cygnus Solutions.
>
>     Sparc configurations may now include the ERC32 simulator
>     contributed by the European Space Agency.
>
> What's wrong with acknowledging what Coverity has contributed?

One more:

    HP has donated a curses-based terminal user interface (TUI).
    To get it, build with --enable-tui.  Although this can be
    enabled for any configuration, at present it only works for
    native HP debugging.

HP is certainly a proprietary software company.

Re: NEWS for 6.7: mention coverity bug fixes

[Mark Kettenis]

> Date: Mon, 20 Aug 2007 11:36:59 -0700 (PDT)
> From: msnyder@sonic.net
> 
> There is precident for acknowledging the contributions of
> institutions and corporations in the NEWS file:
> 
>     Configurations for embedded MIPS now include a simulator
>     contributed by Cygnus Solutions.
> 
>     Sparc configurations may now include the ERC32 simulator
>     contributed by the European Space Agency.
> 
> What's wrong with acknowledging what Coverity has contributed?

I don't think there anything wrong with that, unless we know Coverity
is actively working against the Free Software communitiy.

I do think however that your origional phrasing was a bit odd.
"Coverity Issues" isn't really a meaningful description.  I'd prefer
if you added some sort of description about the class of bugs fixed
and then add a variation on what you show above, like "found by
Coverity Inc.".

Mark

Re: NEWS for 6.7: mention coverity bug fixes

[Nick Roberts]

 > >> I guess if Coverity is proprietary software then the Free Software line
 > >> may be
 > >> that it gets no mention.
 > >
 > > That would be biting the hand that feeds us, wouldn't it?

Not really, but we're going round in circles because I've already agreed with
your position.  I was just speculating what FSF might say.

-- 
Nick                                           http://www.inet.net.nz/~nickrob