registration required?

you mean a random sequence of strings and something that looks like an email address is required. Why do they bother?

Coverity says that its tool works

Maybe I'm being a Paris and not having read the report, but if you were looking for specific types of flaws and fixing them, wouldn't you expect to measure fewer over time?

I wonder if they had a control group of projects which they ran Coverity on and which they didn't report any of the flaws that they found?

Code Quality Rating

So they've officially raised the Code Quality Rating of open sauce bloatware from 'shite' to 'tripe'.

Woopie!

That'll be why FirePheasant is less of a memory hog and is more responsive than it used to be before the improved coding quality.

Some Limitations

"The mix of defect types identified in the process remains consistent. NULL Pointers, resource leaks and unintentional ignored expressions have consistently remained the main problem areas for coders."

Er, I think you'll find that what "remains consistent" is the kind of problem that static analysis can find, not the problems going into the code. There's a whole class of "insecure by design" flaws (such as trusting external input) that simply aren't explicit at the source code level and so will escape detection by these tools.

You'll also find that the vast majority of resource leaks could be plugged by systematic use of resource handling classes and that the compiler would have warned about that ignored expression if you hadn't trodden on the warning. Therefore, there are better ways of avoiding these problems than marking up all your code for static analysis. (You only get the full benefit if you mark up the OS headers, too, which isn't going to happen for the vast majority of people. To their credit, Microsoft have PreFASTed the Windows headers, so if you are only targetting that platform and willing to use their tool, the approach is just about feasible.)

On the other hand, these are real flaws in real code and it is good that someone continues to bang on about the large numbers of such, even if the solution they are selling is probably the wrong one.

@sigxcpu

~39 million lines?

Didn't I hear that in connection with MS Win XP, or was it Service Pack 1 for MS Win XP?

I believe that is commercially available code from a well-funded project house.

:-)

But, Joe M ...

Most Linux video (and other hardware) drivers are in fact identical to both the Windows and Mac equivalents. Those that originate from nvidia (urgh) certainly do. I've seen them. The only difference is that they are in a different binary representation - reflecting the platform they are compiled for.

Indeed, most Linux distros even allow Windows drivers for all kinds of hardware to be used quite successfully using a wrapper function where a native Linux driver is not available.

If the drivers are so poor in quality, then the Windows and Mac ones are just as bad.

Me, I don't know any five year-olds who write code professionally. I do, however, comment all my code extensively (as do most other developers I have had to work with). If you think other people's work is such "a huge intellectual garbage dump" please feel free to forward your own work for consideration. I'm sure we'd all have such a lot to learn from you about writing hardware drivers.

Remember That Linus Guy?

You know the one that invented Linux and just this week said it was becoming fat and bloated?

There's a catch to this story that I'm sure some people have caught, it's that security, quality, and user experience = bloat.

You can't have all three things, Microsoft learned this years ago and just accept the bloat - that's where OSS is going to have to go as well -there aren't really any other options. Just suck it up and accept MS now or accept MS under another name in the near future.

@sigxcpu

"that will give ~39 million LOC average per project. Do you know ANY OS/commercial project that has 39 million LOC?"

Umm Vista?

A view from the inside.... sort-of

>>I wonder if they had a control group of projects which they ran Coverity on and which they didn't report any of the flaws that they found?

They scan projects that people suggest to them. From whats visible they _might_ use the projects which don't officially sign up developers to get reports as a baseline of the general environment. Would be biased though since they are likely to be the small ones.

>> Do you know ANY OS/commercial project that has 39 million LOC?

From the weird results I've had to wade through to find the bugs sometimes it seems to me that they scan the latest release of all available versions of the project. So you have to divide that 39M again by the number of active supported releases.

... or maybe the billion is the aggregate number of scans run (at one per day or so).

The largest project on their list is KDE with over 4 Mega lines. You can see the project list at http://scan.coverity.com/rungAll.html

>> You only get the full benefit if you mark up the OS headers, too, which isn't going to happen for the vast majority of people

It's annoying but I suppose useful, coverity report any OS flaws that are in code used by the FOSS project and count them against the project itself. Though I suppose it increases the pressure from app devs to the OS devs to get the OS fixed too, and get app devs to migrate to safer libraries.

FAIL!

The title of this story is "Open source code quality improving" and suddenly a handful of MS shills comment trying to discredit open source. They use words like bloatware, shite, garbage etc., all in an desperate attempt to push a negative image of open source.

Open source and open standards are the future (even major software companies are beginning to realise it). Closed source and closed standards will only lead to the monopolization of data management and distribution and that is NOT acceptable for all kinds of reasons.

So I suggest you crawl back under your shitty, slimy rocks you horrible little FUD pushers.