Re: Coverity Scan for GNUstep?

[Fred Kiefer]

As you know I am no fan of management tasks. If you have time for this it would 
be great if you could set it up. Otherwise I will try to do it over the next 
weekend.
A new mailing list would be one way to go, the other possibility is to register 
the core module maintainers (your, Richard, me) for all the core modules there.

> Am 15.01.2018 um 02:50 schrieb Ivan Vučica <address@hidden>:
> 
> I don't recall it, but it seems like a good idea.
> 
> I don't have a preference. Perhaps particular project's maintainer? Or
> perhaps we can (instead of a single person) have a closed-off security
> discussion list, with a limited number of invite-only participants?
> Can we do that on gnu.org?
> 
> Do you feel like setting this up?
> 
> On Sun, Jan 14, 2018 at 6:54 PM, Fred Kiefer <address@hidden> wrote:
>> I remember we talked about this before, maybe at the Dublin meeting. There 
>> is the option to set up GNUstep on scan.coverity.com to have the code 
>> automatically checked for known vulnerabilities. At the time we did discuss 
>> this there wasn’t support for Objective-C but this seems to have been added:
>> 
>> https://www.synopsys.com/content/dam/synopsys/sig-assets/datasheets/CWE-CC-Objective-C.pdf
>> 
>> What are your opinions on this? In the beginning it will require some extra 
>> effort to fix the found weaknesses and somehow to flag the false positives. 
>> And who should be in charge of getting the reports? The idea here is that 
>> only the person registered for the project will get the report to prevent 
>> 0-day issues becoming public too soon.
>> 
>> Fred