[offtopic] Coverity . . .

Kuba Ober kuba at mareimbrium.org
Wed Apr 19 21:35:04 BST 2006

> > BTW, it does affect KDE since they indirectly use KDE as their marketing
> > tool (see e.g. scan.coverity.com). The mentioned page is a page of "pure
> > facts", sure, but just like media use facts to spin things their way, so
> > do most other marketing campaigns. Coverity is no exception here.
> >
> > Heck, they actually end up posting security holes as their news releases
> > (say the X.org privilege escalation hole). One could bet that in a few
> > months KDE might end up in one of their PR releases. Those are pure
> > marketing devices, no one would bother with them otherwise.
> >
> > Besides, they are not even doing it for free. There's a contract with DHS
> > involved, so one supposes they got decently paid for their efforts.
> >
> > So what this all boils down to is that not only OSS projects like KDE end
> > up being indirectly used by Coverity as marketing devices, Coverity got
> > *paid* for all that.
> Sure, I agree KDE is getting "used" by Coverity, but I'd say just as much
> as KDE is being used by Trolltech, or how Apache is used by IBM when it
> does its code donations. Coverity is getting used by KDE -- improved code.

The amount of code touched by fixes resulting from Coverity scans is tiny 
compared to what Qt and IBM effectively donated to various OSS projects. 
OTOH, those often one-liners might have big impact on the run-time stability 
of KDE, and, as in case of e.g. X.org, close serious security holes. So I'd 
say that in that sense Coverity is at least neutral.

What slightly irks me is what I mentioned in the first post. The fact that 
they now effectively market to a large, low-on-funds group without providing 
any acessible product is what I consider rubbing people the wrong way.

I imagine that many people instinctively will bring the "not everyone can 
afford a Ferrari" argument. Just to prrempt such a line of argumentation, I 
counter-argue that Ferrari doesn't market to low-on-funds OSS developers. 
OTOH, Coverity seems to be doing just that. I question that very strategy, 
and the OSS community willingness to subject itself to it.

Admittedly, their marketing is not impact-less, as for one I ended up calling 
them and asking what their licensing terms and prices were. But as someone 
who does small-shop development, I got pretty much turned off by their 

I have a rather basic question: how many people who develop for OSS projects 
that Coverity is scanning can
a) themselves afford the $25k that AFAIK the most basic Coverity license 
costs, and
b) have their employers afford such a license.

I believe that the answer to that question is that very, very few 
people/employers could, and that Coverity's sales tactics are incendiary, 
even if they didn't willfully decide on them being so. I imagine that some of 
their top brass might be amused upon hearing that someone in fact thinks of 
their marketing effort in such a way. Yet I still believe I have a point. Oh, 
and let's not forget that the top brass is quite often unaware of what's 
really going on at the customer level, but maybe Coverity isn't big enough 
just yet for such a detachment from the reality to have taken place.

Putting things into a larger perspective: if the OSS-centered community will 
put enough pressure on Coverity, maybe they'll make their product affordable 
to us small-shop people (or even better, to the OSS community at large). 
Experience shows that quite often OSS community pressure works wonders. Case 
in point: trolls GPLing Qt/Windows. Of course their decision wasn't only 
based on community pressure, but I'm sure it certainly helped keep their 
management on track ;)

Cheers, Kuba

More information about the kde-core-devel mailing list