FOSSA - Now we need feedback by the real experts

Matthias Kirschner mk at
Tue Jul 26 08:42:06 UTC 2016

Thank you all for the feedback until now. The people in the commission
are on vacation until mid August, afterwards I will send them summaries
so they can improve the pilot project further. Our goal would be that
they learn from the pilot project and continue with a new budget

Meanwhile there are more deliverables available online:

I thought it might be best if I share the notes here, so if anyone also
wants to have a look at them, you do not have to start at zero.

I would be especially interested in your feedback about the security
tools (marked with TODO below).

# Deliverable 10: List of Tools and Methods for Communicating the Results of Code Reviews

My question when reading this are:

* How do you make sure Free Software developers actually read the results of
  the code audits? 
* How are the Free Software communities informed?
* How do you restrict access, if you e.g. publish it on their public mailing
  list? Is there first a step to identify security people, or trusted people in
  Free Software projects?

# Deliverable 9: List of Requirements for Code Reviews

Page 42: Type of License: FOSS/OSS/Commercial does not make any sense. Either
it is Free Software/Open Source, or not. It can be commercial and Free
Software/Open Source. Suggestion to changed it to:

* 3 for Free Software/Open Source with commercial support
* 0 for proprietary 

For "Support available" it might make sense to differ if a company is available
to give support, or if you have to go into a form to ask people.

* 3 - Yes, commercial and non-commercial
* 2 - Yes, commerical
* 1 - Yes, non-commercial
* 0 - No

Again here it looks as if they are mainly concentrating on web tools. E.g.
"Can review Java and/or PHP" how does that relate to code reviews in general? Or

  Any SQL sentences used must be analysed in order to ensure that there are no
  vulnerabilities related to SQL Injections

What if SQL is not used in the software?

TODO: "1.1.1. Results of the Pre-selection" (p60 following). SonarQube has the
highest rank but the Conclusion is in the end:

1. For Java projects: FindBugs
2. For PHP projects: RIPS
3. For Java and PHP: VCG
4. For Java and PHP: YASCA

  All the tools within the scope of this study are more or less
  efficient. SonarQube has a lot of potential as well, since its
  plugins are constantly being improved. PMD does not seem to be very
  valuable for secure code reviews, however it is a great tool for
  quality code review.

How do people see that?

# Deliverable 11: Design of the Method for Performing the Code Reviews for the European Institutions

Not sure I understand what that deliverable is supposed to be about.
Maybe someone else understands that.


Matthias Kirschner - President - Free Software Foundation Europe
Schönhauser Allee 6/7, 10119 Berlin, Germany | t +49-30-27595290
Registered at Amtsgericht Hamburg, VR 17030  | (
Contact (  -  Weblog (

More information about the Discussion mailing list