[qemu-web PATCH v2] security: rework guideline about issue URL / CVE references

All of lore.kernel.org
 help / color / mirror / Atom feed

* [qemu-web PATCH v2] security: rework guideline about issue URL / CVE references
@ 2026-06-19  9:15 Daniel P. Berrangé
  2026-06-20 15:22 ` Michael S. Tsirkin
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel P. Berrangé @ 2026-06-19  9:15 UTC (permalink / raw)
  To: qemu-devel
  Cc: Michael S. Tsirkin, Paolo Bonzini, Thomas Huth,
	Daniel P. Berrangé

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

In v2:

 - Use non-existing issue number as example
 - Mention both issue URL and CVE to be optionally included
   in all commit messages in a series

 contribute/security-process.md | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/contribute/security-process.md b/contribute/security-process.md
index c091fa1..0ec1952 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -92,19 +92,28 @@ be scrubbed before disclosure.
 
  * The maintainer(s) will develop and/or review patch(es)
    for the issue privately, optionally attaching work in
-   progress fixes to the GitLab issues. All patches must
-   include the issue URL in the commit message(s). The
-   **"Workflow::In Progress"** label should be assigned when
+   progress fixes to the GitLab issues. The
+   **"Workflow::In Progress"** label can be assigned when
    a maintainer starts working on a fix.
 
  * When a CVE is allocated, it must be recorded as a comment on
    the GitLab issue, and the **"CVE::Required"** label replaced by
    the **"CVE::Assigned"** label.
 
- * The maintainer(s) will update the commit message(s) to include
-   the assigned CVE and issue URL. If multiple commits are required
-   to fix an issue the CVE must be included in the final commit in
-   the series, and may optionally be included in all prior commits.
+ * The maintainer(s) will update the commit message(s) before
+   sending a pull request to include the assigned CVE and issue
+   URL in the following format:
+
+     ```
+     Fixes: CVE-1980-12345
+     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/42
+     Reviewed-by: Not Me <notme@elsewhere.com>
+     Signed-off-by: Some One <someone@somewhere.com>
+     ```
+
+   If multiple commits are required to fix an issue the CVE & issue
+   URL must be included in the final commit in the series, and may
+   optionally be included in all prior commits.
 
  * When the maintainer(s) are satisfied that the patch(es) are
    suitable to propose for merge, they must be submitted to
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [qemu-web PATCH v2] security: rework guideline about issue URL / CVE references
  2026-06-19  9:15 [qemu-web PATCH v2] security: rework guideline about issue URL / CVE references Daniel P. Berrangé
@ 2026-06-20 15:22 ` Michael S. Tsirkin
  0 siblings, 0 replies; 2+ messages in thread
From: Michael S. Tsirkin @ 2026-06-20 15:22 UTC (permalink / raw)
  To: Daniel P. Berrangé; +Cc: qemu-devel, Paolo Bonzini, Thomas Huth

On Fri, Jun 19, 2026 at 10:15:08AM +0100, Daniel P. Berrangé wrote:
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Acked-by: Michael S. Tsirkin <mst@redhat.com>

> ---
> 
> In v2:
> 
>  - Use non-existing issue number as example
>  - Mention both issue URL and CVE to be optionally included
>    in all commit messages in a series
> 
>  contribute/security-process.md | 23 ++++++++++++++++-------
>  1 file changed, 16 insertions(+), 7 deletions(-)
> 
> diff --git a/contribute/security-process.md b/contribute/security-process.md
> index c091fa1..0ec1952 100644
> --- a/contribute/security-process.md
> +++ b/contribute/security-process.md
> @@ -92,19 +92,28 @@ be scrubbed before disclosure.
>  
>   * The maintainer(s) will develop and/or review patch(es)
>     for the issue privately, optionally attaching work in
> -   progress fixes to the GitLab issues. All patches must
> -   include the issue URL in the commit message(s). The
> -   **"Workflow::In Progress"** label should be assigned when
> +   progress fixes to the GitLab issues. The
> +   **"Workflow::In Progress"** label can be assigned when
>     a maintainer starts working on a fix.
>  
>   * When a CVE is allocated, it must be recorded as a comment on
>     the GitLab issue, and the **"CVE::Required"** label replaced by
>     the **"CVE::Assigned"** label.
>  
> - * The maintainer(s) will update the commit message(s) to include
> -   the assigned CVE and issue URL. If multiple commits are required
> -   to fix an issue the CVE must be included in the final commit in
> -   the series, and may optionally be included in all prior commits.
> + * The maintainer(s) will update the commit message(s) before
> +   sending a pull request to include the assigned CVE and issue
> +   URL in the following format:
> +
> +     ```
> +     Fixes: CVE-1980-12345
> +     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/42
> +     Reviewed-by: Not Me <notme@elsewhere.com>
> +     Signed-off-by: Some One <someone@somewhere.com>
> +     ```
> +
> +   If multiple commits are required to fix an issue the CVE & issue
> +   URL must be included in the final commit in the series, and may
> +   optionally be included in all prior commits.
>  
>   * When the maintainer(s) are satisfied that the patch(es) are
>     suitable to propose for merge, they must be submitted to
> -- 
> 2.54.0



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-20 15:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-19  9:15 [qemu-web PATCH v2] security: rework guideline about issue URL / CVE references Daniel P. Berrangé
2026-06-20 15:22 ` Michael S. Tsirkin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.