From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id kP5GOSdxoWAGPAAAgWs5BA (envelope-from ) for ; Sun, 16 May 2021 21:23:19 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id YA3MNCdxoWDzFwAAbx9fmQ (envelope-from ) for ; Sun, 16 May 2021 19:23:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id A1F7A179A5 for ; Sun, 16 May 2021 21:23:19 +0200 (CEST) Received: from localhost ([::1]:36256 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1liMMA-0005XX-Qn for larch@yhetil.org; Sun, 16 May 2021 15:23:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:36486) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1liMM2-0005XH-KO for guix-devel@gnu.org; Sun, 16 May 2021 15:23:10 -0400 Received: from mx1.riseup.net ([198.252.153.129]:35736) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1liMLz-0000jq-SA for guix-devel@gnu.org; Sun, 16 May 2021 15:23:10 -0400 Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4Fjsc930kkzDrBf for ; Sun, 16 May 2021 12:23:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1621192985; bh=hcbxU4Lo20+rq7gsZMdHHHbBsgisVypa69mDfayadfM=; h=Date:From:To:Subject:From; b=EAUMy6h5y3n/BX9HTI5WlKp30IoSNyp0m5naUCQfSxYVroF+8XUjDJbMn3MeE8Hm5 vvmzulFGiAGft+qkvGyGzkmSKmb8MVqIzNaJ6K3jIg0j4cNGDhXne6TGpUZoMtXUcX 4l6cATVN88Ql/pkSZ7DWTmLeUJKlLc/N8hdhjJXA= X-Riseup-User-ID: 77B6E1B23E7F4658C22C8145A86D25BB326206DCD1C78A95DEAE539E79F6D89F Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4Fjsc84qVkz5vbC for ; Sun, 16 May 2021 12:23:04 -0700 (PDT) Date: Sun, 16 May 2021 21:22:42 +0200 From: raingloom To: "guix-devel@gnu.org" Subject: [spitball] integrating analyzers into build systems Message-ID: <20210516212242.68923751@riseup.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=198.252.153.129; envelope-from=raingloom@riseup.net; helo=mx1.riseup.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1621192999; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=hcbxU4Lo20+rq7gsZMdHHHbBsgisVypa69mDfayadfM=; b=Cue2FhKGVw+QEYnXZaV7N5kJFdYdDnWokOyYaz/bljhxxWigOyc8CCSwgicS8F1Gi7t3LJ TU9bF/DmLOiYLzML1BUT/JtXLJ/+5bo84mSicf3i3Zd0vNrI/7zPQRhKeTUHyzYkT+rlpg VspS3vwer6gWyGiAElC/WLJ4DZJ/PyIW5yBnpfBdW1LgeQuzvlkdA1Y3nMmxWLE9+ytdzb JXSYG2xR02r1AS6NJ/fpTnsWdRtnlNKuB+rlXqnjxZxfJMe3VQRyHDcSp3rwz9LcVdOwzZ O/KLr+SPRjiO5l9uaPsbCdnQwZdFja8BNc0b0YWV0tTBtO/SHUNxXkS5Xr9G2A== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1621192999; a=rsa-sha256; cv=none; b=NVfDKxZljns/LB6a34SPiqYroSRIDzB6vUYJcBf2eDs9nt9OW68/Bhw3ca+lpEzN30W8LR 5Y3CNvSo8O1vPgeurkthyCzXUwBnqB7tXpUzJkQM42zT+xKjT5og/tlr6TtIj2zM8cdqN+ b/vDCOOfiBAXLZMKmlNFoSXng9NzvXjl4D1UYud+f/0xdmeY5bVhZYZdbrj0GXV7Wkuhsq aDkP2XETmhc3pbJkw/6i0CYGxSQucc5lBxbf2WTDKAq8fc61Yofz18+hHolKeyo7Br7Y05 qq3hoTlAIt0Qb+KvIQPyn4olV+20TuGzRAeZnP//vOTDC5CvJwmnJycKUxtIcg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=EAUMy6h5; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.65 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=EAUMy6h5; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: A1F7A179A5 X-Spam-Score: -1.65 X-Migadu-Scanner: scn0.migadu.com X-TUID: 1KFjVWb7HSea Would it make sense to run analyzers like Infer or MyPy at build time? Maybe have something like --with-debug, so if there is an analyzer-log output, only then is Infer ran? In theory these tools are more useful for developers, but it's still potentially useful to independently analyze our software for memory safety and other errors, but also the build might run in or target an environment the upstream developer didn't anticipate, for example when cross compiling, or it could just straight up be patched and not identical to whatever upstream verified as working. Could also just be used to scan our software for vulnerabilities. Anyways, just throwing this out there. I don't think it would have immediate benefits, but it could be nice in the long term.