[Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eduardo Valentin <edubezval@gmail.com>
To: ksummit-discuss@lists.linuxfoundation.org
Subject: [Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation
Date: Mon, 10 Sep 2018 18:11:00 -0700	[thread overview]
Message-ID: <20180911011056.GA6958@localhost.localdomain> (raw)

Hello,

I would like to open a discussion on improving the annotation
around CVE patches on the Linux kernel. Today, the kernel Documentation
mentions about CVE assignment and asks as a good practice to at least
mention the CVE  number in the patch [1]. But, is that enough?
Should the kernel have more info about what patches fixes a specific
CVE?

Some of the challenges with current process:
- The info about of about what CVEs have been patched in a kernel is
  outside the kernel tree / git history.
- Today, some patches have the CVE info, and many others do not mention
  anything about CVE number.
- As mentioned in the kernel documentation [1], not always the CVE
  number is assigned when the patch(es) go into the kernel tree, so
  maybe this may require some post merge annotation?
- It is not always straight forward to know what patches are needed to
  fix the CVE, specially on cases the fix require a series of
  preparation work before the actual fix.

  Specially on the later case, annotation can help, specially while
  backporting.

BR,


[1] - https://www.kernel.org/doc/html/latest/admin-guide/security-bugs.html

next             reply	other threads:[~2018-09-11  1:11 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-11  1:11 Eduardo Valentin [this message]
2018-09-11 11:57 ` [Ksummit-discuss] [MAINTAINERS SUMMIT] CVE patches annotation Justin Forbes
2018-09-11 12:00   ` Takashi Iwai
2018-09-11 14:21     ` Greg KH
2018-09-11 14:35       ` Dan Carpenter
2018-09-11 14:37       ` Takashi Iwai
2018-09-11 14:45       ` Leon Romanovsky
2018-09-11 15:02         ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180911011056.GA6958@localhost.localdomain \
    --to=edubezval@gmail.com \
    --cc=ksummit-discuss@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.