From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Thomas Huth" <thuth@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [qemu-web PATCH] security: rework guideline about issue URL / CVE references
Date: Fri, 19 Jun 2026 09:22:36 +0100 [thread overview]
Message-ID: <20260619082236.1175764-1-berrange@redhat.com> (raw)
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
This incorporates the feedback that Michael provided on the
just merged security process changes.
contribute/security-process.md | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/contribute/security-process.md b/contribute/security-process.md
index c091fa1..146e9cd 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -92,19 +92,28 @@ be scrubbed before disclosure.
* The maintainer(s) will develop and/or review patch(es)
for the issue privately, optionally attaching work in
- progress fixes to the GitLab issues. All patches must
- include the issue URL in the commit message(s). The
- **"Workflow::In Progress"** label should be assigned when
+ progress fixes to the GitLab issues. The
+ **"Workflow::In Progress"** label can be assigned when
a maintainer starts working on a fix.
* When a CVE is allocated, it must be recorded as a comment on
the GitLab issue, and the **"CVE::Required"** label replaced by
the **"CVE::Assigned"** label.
- * The maintainer(s) will update the commit message(s) to include
- the assigned CVE and issue URL. If multiple commits are required
- to fix an issue the CVE must be included in the final commit in
- the series, and may optionally be included in all prior commits.
+ * The maintainer(s) will update the commit message(s) before
+ sending a pull request to include the assigned CVE and issue
+ URL in the following format:
+
+ ```
+ Fixes: CVE-1980-12345
+ Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
+ Reviewed-by: Not Me <notme@elsewhere.com>
+ Signed-off-by: Some One <someone@somewhere.com>
+ ```
+
+ If multiple commits are required to fix an issue the CVE must
+ be included in the final commit in the series, and may optionally
+ be included in all prior commits.
* When the maintainer(s) are satisfied that the patch(es) are
suitable to propose for merge, they must be submitted to
--
2.54.0
next reply other threads:[~2026-06-19 8:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 8:22 Daniel P. Berrangé [this message]
2026-06-19 8:27 ` [qemu-web PATCH] security: rework guideline about issue URL / CVE references Thomas Huth
2026-06-19 8:41 ` Daniel P. Berrangé
2026-06-19 8:45 ` Thomas Huth
2026-06-19 8:27 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619082236.1175764-1-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.