Coverity is a tool to find security problems in code through static analysis. I’m sure it is a fine tool. There is a company behind it, Coverity Inc., and they run the tool on free software. A service like that seems like a good thing. Alas, the details of how scan.coverity.com imply that it is a bad idea for free software supporters to use the service. Here are the mistakes they made:
- There is no notification to the project maintainer that they found problems in the code.
- The problems they have found are not available publicly. (This _may_ be desirable, in case the problems they find are exploitable.)
- They require that any maintainer who wish to review the problems enter into a license agreement with Coverity, Inc. The license is very biased, and all the advantages are with the company, and none with the developer. Further, they can change the license at any time, and you are (presumably) forced to follow it anyway. (Read below for a copy of the license.)
This sends the message that the site is just advertisement for their commercial proprietary products and services. Possibly it could be even worse, it can be seen as a bargaining a’la “Your software is insecure, agree to our evil license and we’ll tell you how to fix it”.
Therefor I suggest that all free software maintainers boycott the scan.coverity.com service until they get their act together.
A reasonable way to change their service to something more acceptable, and potentially even turn it into a positive contribution to the community, would be to send the list of problems to the official bug maintainer address of each project.
Continue reading Boycott scan.coverity.com!