[offtopic] Coverity . . .

Alexander Neundorf neundorf at kde.org
Wed Apr 19 23:45:25 BST 2006


On Wednesday 19 April 2006 22:35, Kuba Ober wrote:
> The amount of code touched by fixes resulting from Coverity scans is tiny
> compared to what Qt and IBM effectively donated to various OSS projects.
> OTOH, those often one-liners might have big impact on the run-time
> stability of KDE, and, as in case of e.g. X.org, close serious security
> holes. So I'd say that in that sense Coverity is at least neutral.
> What slightly irks me is what I mentioned in the first post. The fact that
> they now effectively market to a large, low-on-funds group without
> providing any acessible product is what I consider rubbing people the wrong
> way.
> I imagine that many people instinctively will bring the "not everyone can
> afford a Ferrari" argument. Just to prrempt such a line of argumentation, I
> counter-argue that Ferrari doesn't market to low-on-funds OSS developers.
> OTOH, Coverity seems to be doing just that. 

I don't think they "market" Coverity to us. They give us the chance to have 
our code scanned for free, something which is worth several thousand Euro, 
and something most commercial software projects can't afford.

> Admittedly, their marketing is not impact-less, as for one I ended up
> calling them and asking what their licensing terms and prices were. But as
> someone who does small-shop development, I got pretty much turned off by
> their attitude.
> I have a rather basic question: how many people who develop for OSS
> projects that Coverity is scanning can
> a) themselves afford the $25k that AFAIK the most basic Coverity license
> costs, and
> b) have their employers afford such a license.
> I believe that the answer to that question is that very, very few
> people/employers could, and that Coverity's sales tactics are incendiary,
> even if they didn't willfully decide on them being so. I imagine that some
> of their top brass might be amused upon hearing that someone in fact thinks
> of their marketing effort in such a way. Yet I still believe I have a
> point. Oh, and let's not forget that the top brass is quite often unaware
> of what's really going on at the customer level, but maybe Coverity isn't
> big enough just yet for such a detachment from the reality to have taken
> place.

The $25k price for the basic license is on the same level as the price for 
comparable tools like e.g. Polyspace (http://www.polyspace.com).
As opposed to Coverity, Polyspace doesn't offer such a service for free 
software. Coverity scans huge code bases fast, Polyspace can (probably) 
detect more errors and can also detect error-free code (which Coverity can't 
do), but works much slower. The main target group of both tools are highly 
safety critical software systems, like planes, trains etc. In these areas the 
money is available.

/me wonders how hard it would be to implement something similar but simpler 
e.g. with the output from gcc-xml

Work: alexander.neundorf AT jenoptik.com - http://www.jenoptik-los.de
Home: neundorf AT kde.org                - http://www.kde.org
      alex AT neundorf.net               - http://www.neundorf.net

More information about the kde-core-devel mailing list