You are viewing a plain text version of this content. The canonical link for it is here.
Posted to qa@openoffice.apache.org by Pedro Lino <pe...@gmail.com> on 2014/09/16 17:42:02 UTC
Progress and Quality
Hi all QAers
I'm wondering if I'm missing something or development really stopped/slowed
down since the 4.1.1 release? (according to this site
http://svn.apache.org/viewvc/openoffice/trunk/main/?sortby=date the last
modification was *r1623850* on Tue Sep 9 15:35:43 2014 UTC)
On a separate note, from a Quality perspective it would probably would be a
good idea if Apache OpenOffice code was scanned by one of these Coverity
analysis
http://www.newswire.ca/en/story/1411430/libreoffice-makes-strides-in-software-quality-with-coverity-scan
Kind regards,
Pedro
Re: Progress and Quality
Posted by Andrea Pescetti <pe...@apache.org>.
On 17/09/2014 Ariel Constenla-Haile wrote:
> openoffice.git]$ git shortlog -s -n --all
> ... 70 Andrea Pescetti
Not to steal the merits of others... under my name there are at least 4
people, due to the way SVN works. If I commit work by someone else, and
this happens for example for patches contributed through Bugzilla, SVN
(and, as a consequence, git) attributes it to me. Same for all other SVN
committers.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: qa-unsubscribe@openoffice.apache.org
For additional commands, e-mail: qa-help@openoffice.apache.org
Re: Progress and Quality
Posted by Pedro Lino <pe...@gmail.com>.
Hi Ariel
Actually, the problem is that there isn't so many people participating
> in coding.
Unfortunately that is what I figured...
> Cloning http://git.apache.org/openoffice.git and running the
> commands at the bottom of this message, gives of good overview of
> code-contribution (as it does not include the websites).
Ok. But the results would basically be the same. So the SVN activity
(excluding website) is a good way to check for updates to the code.
> The answer to
> your question might be that people at Hamburg are on Holidays.
>
That would seem to be the major explanation.
Thank you for the honest answer ;)
Regards,
Pedro
Re: Progress and Quality
Posted by Ariel Constenla-Haile <ar...@apache.org>.
Hi Pedro,
On Tue, Sep 16, 2014 at 11:06:56PM +0100, Pedro Lino wrote:
>>> I'm wondering if I'm missing something or development really
>>> stopped/slowed down since the 4.1.1 release?
>>>
>>
>> I can't speak for the others. But since the latest visible commit is
>> mine, I've been working more on the website in recent days.
>>
>
> Actually my question was more in the sense "Am I looking at the right
> statistics?" because I find it hard to believe that with so much to be
> done and so many people participating, there hasn't been a code change
> in 7 days...
Actually, the problem is that there isn't so many people participating
in coding. Cloning http://git.apache.org/openoffice.git and running the
commands at the bottom of this message, gives of good overview of
code-contribution (as it does not include the websites). The answer to
your question might be that people at Hamburg are on Holidays.
openoffice.git]$ git shortlog --after={2013-09-17} -s -n
236 Herbert Dürr
126 Armin Le Grand
104 Oliver-Rainer Wittmann
83 Andre Fischer
74 Jürgen Schmidt
47 Juergen Schmidt
47 Steve Yin
43 Tsutomu Uchino
36 Ariel Constenla-Haile
26 Pavel Janík
24 Andrea Pescetti
22 Yuri Dario
11 Pedro Giffuni
5 Jan Iversen
4 Regina Henschel
2 Clarence Guo
2 Juan C. Sanz
2 tal
1 Kay Schenk
1 Raphael Bircher
1 Rob Weir
Including all branches:
openoffice.git]$ git shortlog --after={2013-09-17} -s -n --all
311 Herbert Dürr
158 Oliver-Rainer Wittmann
153 Armin Le Grand
119 Jürgen Schmidt
97 Juergen Schmidt
91 Andre Fischer
85 Jan Iversen
47 Steve Yin
43 Tsutomu Uchino
36 Ariel Constenla-Haile
29 Andrea Pescetti
26 Pavel Janík
22 Yuri Dario
11 Pedro Giffuni
5 Clarence Guo
5 Regina Henschel
2 Juan C. Sanz
2 tal
1 Kay Schenk
1 Raphael Bircher
1 Rob Weir
All-time stats:
openoffice.git]$ git shortlog -s -n --all
929 Herbert Dürr
806 Andrew Rist
679 Armin Le Grand
539 Jürgen Schmidt
408 Ariel Constenla-Haile
404 Andre Fischer
386 Oliver-Rainer Wittmann
375 Jan Iversen
353 Pedro Giffuni
209 Liu Zhe
175 Pavel Janík
97 Juergen Schmidt
94 Yuri Dario
72 Michael Stahl
72 Steve Yin
70 Andrea Pescetti
62 Eike Rathke
44 Jian Fang Zhang
43 Tsutomu Uchino
35 Mathias Bauer
34 Li Feng Wang
33 Wang Lei
31 Lei De Bin
25 Jian Hong Cheng
23 Zheng Fan
17 Regina Henschel
16 Zhe Wang
14 Greg Stein
13 Jianyuan Li
13 Sun Ying
11 Linyi Li
9 Joe Schaefer
8 Eric Bachard
8 Maho NAKATA
8 Rob Weir
5 Alexandro Colorado
5 Clarence Guo
5 David Fisher
4 Chen ZuoJun
4 DongJun Zong
4 Hongyun An
4 Yong Lin Ma
3 Damjan Jovanovic
2 Dennis E. Hamilton
2 Juan C. Sanz
2 Raphael Bircher
2 tal
1 Albino Neto
1 Kay Schenk
1 Yang Shih-Ching
1 Zhu Shan
1 rcweir
Regards
--
Ariel Constenla-Haile
La Plata, Argentina
Re: Progress and Quality
Posted by Pedro Lino <pe...@gmail.com>.
Hi Rob
> You are focusing on security and exploits (which is obviously a very
> > important area). But I was thinking more in terms of program stability
> > *during* usage. I assume that Coverity's "project's defect density" would
> > reflect this?
> >
>
> The correlation is not clear. I'd note, for example, that the Swiss
> Supreme Court gave a presentation recently where they said they prefer
> Apache OpenOffice over LibreOffice because of the greater stability of
> AOO.
>
I do too. That is why I'm curious about this.
> If I had to guess, what is probably true is that defect density in
> newly written code is correlated to real-world quality, as seen by
> users. But 10-year old code? Over a long period of time serious
> bugs of this kind -- crash bugs and other instability issues -- tend
> to be identified by users and are either fixed or at least well-known.
> We're unlikely to find new serious instabilities by examining ancient
> code.
>
Fair enough. That is mostly true for repeatable bugs. My expectation was
that this kind of analysis would spot those hard to find bugs that cause
unreproducible crashes...
> > So I would be more interested in running a debug build that could log
> these
> > occasional crashes (if they are not occasional and I can replicate them,
> I
> > create a regular Issuezilla bug report).
> >
>
> What OS are you running on?
>
Windows (XP Pro x86 and 7 Pro x64)
Regards,
Pedro
Re: Progress and Quality
Posted by Rob Weir <ro...@apache.org>.
On Wed, Sep 17, 2014 at 10:40 AM, Pedro Lino <pe...@gmail.com> wrote:
> Hi Rob
>
>
> Our main focus for finding latent security flaws has been via
>> "document fuzzing." It is more complicated to set up than just
>> running a static analysis tool but since it involves probing the
>> actual running code it is more effective in many ways. Historically
>> this is one of the primary ways that editors like OpenOffice are
>> exploited. Also, when security researches report security flaws to
>> us, they are often flaws found from fuzzing. I don't recall ever
>> seeing a report that was derived from static analysis.
>>
>
> You are focusing on security and exploits (which is obviously a very
> important area). But I was thinking more in terms of program stability
> *during* usage. I assume that Coverity's "project's defect density" would
> reflect this?
>
The correlation is not clear. I'd note, for example, that the Swiss
Supreme Court gave a presentation recently where they said they prefer
Apache OpenOffice over LibreOffice because of the greater stability of
AOO.
If I had to guess, what is probably true is that defect density in
newly written code is correlated to real-world quality, as seen by
users. But 10-year old code? Over a long period of time serious
bugs of this kind -- crash bugs and other instability issues -- tend
to be identified by users and are either fixed or at least well-known.
We're unlikely to find new serious instabilities by examining ancient
code.
The other factor is the source of bugs. Research has shown (general
academic research, not AOO specifically) that a large percentage of
bugs in software are introduced when fixing other bugs. Whenever you
touch the code there is an opportunity for adding a new bug. So I'm
not a big fan of changing thousands of lines of code based on static
analysis. It can very well make the code less stable, not more.
Where we've used Coverity results it has been in a much more focused
way, looking for specific defects with impact.
>
>
>> If you want to read more about what we're doing with fuzzing you can
>> see my presentation from ApacheCon:
>> http://www.robweir.com/blog/publications/AOOFuzzing.pdf
>>
>> Also, if you are really interested in this area I can help you set up
>> a fuzzing environment. It works best if you have a machine (or a VM)
>> your can dedicate to it for a couple of weeks .
>>
>
> Very interesting stuff. Actually the few times I had any problem with AOO
> usage was not while opening files. They happen during regular work sessions
> where Calc/Writer/Impress would freeze completely and leave no other choice
> other than killing soffice (with consequent data loss)
>
> So I would be more interested in running a debug build that could log these
> occasional crashes (if they are not occasional and I can replicate them, I
> create a regular Issuezilla bug report).
>
What OS are you running on?
Regards,
-Rob
> Regards,
> Pedro
---------------------------------------------------------------------
To unsubscribe, e-mail: qa-unsubscribe@openoffice.apache.org
For additional commands, e-mail: qa-help@openoffice.apache.org
Re: Progress and Quality
Posted by Pedro Lino <pe...@gmail.com>.
Hi Rob
Our main focus for finding latent security flaws has been via
> "document fuzzing." It is more complicated to set up than just
> running a static analysis tool but since it involves probing the
> actual running code it is more effective in many ways. Historically
> this is one of the primary ways that editors like OpenOffice are
> exploited. Also, when security researches report security flaws to
> us, they are often flaws found from fuzzing. I don't recall ever
> seeing a report that was derived from static analysis.
>
You are focusing on security and exploits (which is obviously a very
important area). But I was thinking more in terms of program stability
*during* usage. I assume that Coverity's "project's defect density" would
reflect this?
> If you want to read more about what we're doing with fuzzing you can
> see my presentation from ApacheCon:
> http://www.robweir.com/blog/publications/AOOFuzzing.pdf
>
> Also, if you are really interested in this area I can help you set up
> a fuzzing environment. It works best if you have a machine (or a VM)
> your can dedicate to it for a couple of weeks .
>
Very interesting stuff. Actually the few times I had any problem with AOO
usage was not while opening files. They happen during regular work sessions
where Calc/Writer/Impress would freeze completely and leave no other choice
other than killing soffice (with consequent data loss)
So I would be more interested in running a debug build that could log these
occasional crashes (if they are not occasional and I can replicate them, I
create a regular Issuezilla bug report).
Regards,
Pedro
Re: Progress and Quality
Posted by Rob Weir <ro...@apache.org>.
On Tue, Sep 16, 2014 at 6:06 PM, Pedro Lino <pe...@gmail.com> wrote:
> Hi Andrea
>
>
> Thank you for the quick answer.
>
> I'm wondering if I'm missing something or development really stopped/slowed
>>> down since the 4.1.1 release?
>>>
>>
>> I can't speak for the others. But since the latest visible commit is mine,
>> I've been working more on the website in recent days.
>>
>
> Actually my question was more in the sense "Am I looking at the right
> statistics?" because I find it hard to believe that with so much to be done
> and so many people participating, there hasn't been a code change in 7
> days...
>
>
>>
>> On a separate note, from a Quality perspective it would probably would be
>>> a
>>> good idea if Apache OpenOffice code was scanned by one of these Coverity
>>> analysis
>>>
>>
>> The Apache OpenOffice code is scanned by Coverity, and (since this is
>> considered security-relevant) data are privately accessible to some
>> developers.
>
>
> Is it possible to make public the "project's defect density" for Apache
> OpenOffice? I'm quite curious since I find AOO more stable than LO.
>
>
>
>> If I recall correctly (I've never seen them), most of the reports and
>> metrics did not seem very useful, since they included a lot of false
>> positives; one could silence those warnings by writing extra code or extra
>> assertions just to help the analyzer understand that nothing was wrong, but
>> this would be merely to please the analyzer and not to enhance the real
>> quality.
>
>
> That makes sense. But there are possibly some real leaks and bugs that
> could be attended...
>
Our main focus for finding latent security flaws has been via
"document fuzzing." It is more complicated to set up than just
running a static analysis tool but since it involves probing the
actual running code it is more effective in many ways. Historically
this is one of the primary ways that editors like OpenOffice are
exploited. Also, when security researches report security flaws to
us, they are often flaws found from fuzzing. I don't recall ever
seeing a report that was derived from static analysis.
If you want to read more about what we're doing with fuzzing you can
see my presentation from ApacheCon:
http://www.robweir.com/blog/publications/AOOFuzzing.pdf
Also, if you are really interested in this area I can help you set up
a fuzzing environment. It works best if you have a machine (or a VM)
your can dedicate to it for a couple of weeks .
Regards,
-Rob
>
>> I haven't read the article you linked to yet, but if your point was
>> "Coverity should scan Apache OpenOffice" the answer is "This is already
>> happening".
>>
>
> Actually I meant some sort of scan, but since AOO is also scanned by
> Coverity then it would be interesting to know how the two compare.
>
> Regards,
> Pedro
---------------------------------------------------------------------
To unsubscribe, e-mail: qa-unsubscribe@openoffice.apache.org
For additional commands, e-mail: qa-help@openoffice.apache.org
Re: Progress and Quality
Posted by Pedro Lino <pe...@gmail.com>.
Hi Andrea
Thank you for the quick answer.
I'm wondering if I'm missing something or development really stopped/slowed
>> down since the 4.1.1 release?
>>
>
> I can't speak for the others. But since the latest visible commit is mine,
> I've been working more on the website in recent days.
>
Actually my question was more in the sense "Am I looking at the right
statistics?" because I find it hard to believe that with so much to be done
and so many people participating, there hasn't been a code change in 7
days...
>
> On a separate note, from a Quality perspective it would probably would be
>> a
>> good idea if Apache OpenOffice code was scanned by one of these Coverity
>> analysis
>>
>
> The Apache OpenOffice code is scanned by Coverity, and (since this is
> considered security-relevant) data are privately accessible to some
> developers.
Is it possible to make public the "project's defect density" for Apache
OpenOffice? I'm quite curious since I find AOO more stable than LO.
> If I recall correctly (I've never seen them), most of the reports and
> metrics did not seem very useful, since they included a lot of false
> positives; one could silence those warnings by writing extra code or extra
> assertions just to help the analyzer understand that nothing was wrong, but
> this would be merely to please the analyzer and not to enhance the real
> quality.
That makes sense. But there are possibly some real leaks and bugs that
could be attended...
> I haven't read the article you linked to yet, but if your point was
> "Coverity should scan Apache OpenOffice" the answer is "This is already
> happening".
>
Actually I meant some sort of scan, but since AOO is also scanned by
Coverity then it would be interesting to know how the two compare.
Regards,
Pedro
Re: Progress and Quality
Posted by Andrea Pescetti <pe...@apache.org>.
On 16/09/2014 Pedro Lino wrote:
> I'm wondering if I'm missing something or development really stopped/slowed
> down since the 4.1.1 release?
I can't speak for the others. But since the latest visible commit is
mine, I've been working more on the website in recent days.
> On a separate note, from a Quality perspective it would probably would be a
> good idea if Apache OpenOffice code was scanned by one of these Coverity
> analysis
The Apache OpenOffice code is scanned by Coverity, and (since this is
considered security-relevant) data are privately accessible to some
developers. If I recall correctly (I've never seen them), most of the
reports and metrics did not seem very useful, since they included a lot
of false positives; one could silence those warnings by writing extra
code or extra assertions just to help the analyzer understand that
nothing was wrong, but this would be merely to please the analyzer and
not to enhance the real quality. I haven't read the article you linked
to yet, but if your point was "Coverity should scan Apache OpenOffice"
the answer is "This is already happening".
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: qa-unsubscribe@openoffice.apache.org
For additional commands, e-mail: qa-help@openoffice.apache.org