From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Thomas Huth" <thuth@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>
Subject: [qemu-web PATCH v2] security: rework guideline about issue URL / CVE references
Date: Fri, 19 Jun 2026 10:15:08 +0100 [thread overview]
Message-ID: <20260619091508.1194994-1-berrange@redhat.com> (raw)
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
In v2:
- Use non-existing issue number as example
- Mention both issue URL and CVE to be optionally included
in all commit messages in a series
contribute/security-process.md | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/contribute/security-process.md b/contribute/security-process.md
index c091fa1..0ec1952 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -92,19 +92,28 @@ be scrubbed before disclosure.
* The maintainer(s) will develop and/or review patch(es)
for the issue privately, optionally attaching work in
- progress fixes to the GitLab issues. All patches must
- include the issue URL in the commit message(s). The
- **"Workflow::In Progress"** label should be assigned when
+ progress fixes to the GitLab issues. The
+ **"Workflow::In Progress"** label can be assigned when
a maintainer starts working on a fix.
* When a CVE is allocated, it must be recorded as a comment on
the GitLab issue, and the **"CVE::Required"** label replaced by
the **"CVE::Assigned"** label.
- * The maintainer(s) will update the commit message(s) to include
- the assigned CVE and issue URL. If multiple commits are required
- to fix an issue the CVE must be included in the final commit in
- the series, and may optionally be included in all prior commits.
+ * The maintainer(s) will update the commit message(s) before
+ sending a pull request to include the assigned CVE and issue
+ URL in the following format:
+
+ ```
+ Fixes: CVE-1980-12345
+ Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/42
+ Reviewed-by: Not Me <notme@elsewhere.com>
+ Signed-off-by: Some One <someone@somewhere.com>
+ ```
+
+ If multiple commits are required to fix an issue the CVE & issue
+ URL must be included in the final commit in the series, and may
+ optionally be included in all prior commits.
* When the maintainer(s) are satisfied that the patch(es) are
suitable to propose for merge, they must be submitted to
--
2.54.0
next reply other threads:[~2026-06-19 9:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-19 9:15 Daniel P. Berrangé [this message]
2026-06-20 15:22 ` [qemu-web PATCH v2] security: rework guideline about issue URL / CVE references Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260619091508.1194994-1-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.