From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: qemu-devel@nongnu.org, "Alex Bennée" <alex.bennee@linaro.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Pierrick Bouvier" <pierrick.bouvier@oss.qualcomm.com>,
"Thomas Huth" <thuth@redhat.com>,
"Mauro Matteo Cascella" <mcascell@redhat.com>
Subject: Re: [qemu-web PATCH v2 3/3] contribute: switch security process to gitlab confidential issues
Date: Thu, 18 Jun 2026 17:07:10 +0100 [thread overview]
Message-ID: <ajQXrpKNx4NnhUKa@redhat.com> (raw)
In-Reply-To: <20260618112415-mutt-send-email-mst@kernel.org>
On Thu, Jun 18, 2026 at 11:30:29AM -0400, Michael S. Tsirkin wrote:
> > + * The maintainer(s) will develop and/or review patch(es)
> > + for the issue privately, optionally attaching work in
> > + progress fixes to the GitLab issues.
>
> attaching how? how do i ask reported to test the fix?
> was easy in the email flow.
You can add arbitrary attachments in gitlab issue comments.
> > All patches must
> > + include the issue URL in the commit message(s).
>
> you mean the commit message of the patches I presume?
> there's no commit at that point.
Well I presume the maintainer will have a local git tree
with a work-in-progress commit.
> > The
> > + **"Workflow::In Progress"** label should be assigned when
> > + a maintainer starts working on a fix.
>
> That's a bit heavy, and what is "working" anyway.
> It's an issue tracker not a planning app.
> Don't try to make it one.
Various "Workflow::" labels are already present in our gitlab
instance. We don't use them consistently - this text is just
a pointer that the're there.
>
>
> > + * When a CVE is allocated, it must be recorded as a comment on
> > + the GitLab issue, and the **"CVE::Required"** label replaced by
> > + the **"CVE::Assigned"** label.
>
> Recorded as a comment how exactly, in what format?
In plain text.
>
> > + * The maintainer(s) will update the commit message(s)
>
> what does it mean to "update the commit message"?
The commit message for the patch the maintainer has in their
tree.
> > to include
> > + the assigned CVE and issue URL. If multiple commits are required
> > + to fix an issue the CVE must be included in the final commit in
> > + the series, and may optionally be included in all prior commits.
>
> And here, included in what format?
The CVE just needs to exist somewhere/anywhere in the commit message.
It is common to put it in the first line, or with tags before SoB
but it doesn't really matter as long as we have a record of it in
the patch.
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
next prev parent reply other threads:[~2026-06-18 16:08 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-18 13:20 [qemu-web PATCH v2 0/3] switch to GitLab confidential issues for security disclosure Daniel P. Berrangé
2026-06-18 13:20 ` [qemu-web PATCH v2 1/3] contribute: reformat/restructure bug report guidance Daniel P. Berrangé
2026-06-18 13:40 ` Alex Bennée
2026-06-18 13:55 ` Philippe Mathieu-Daudé
2026-06-18 13:20 ` [qemu-web PATCH v2 2/3] contribute: add automated tool disclosure to bug reporting Daniel P. Berrangé
2026-06-18 13:41 ` Alex Bennée
2026-06-18 13:20 ` [qemu-web PATCH v2 3/3] contribute: switch security process to gitlab confidential issues Daniel P. Berrangé
2026-06-18 13:42 ` Alex Bennée
2026-06-18 14:07 ` Philippe Mathieu-Daudé
2026-06-18 14:20 ` Daniel P. Berrangé
2026-06-18 14:28 ` Philippe Mathieu-Daudé
2026-06-18 14:42 ` Michael S. Tsirkin
2026-06-18 15:06 ` Daniel P. Berrangé
2026-06-18 15:51 ` Michael S. Tsirkin
2026-06-18 14:49 ` Mauro Matteo Cascella
2026-06-18 15:30 ` Michael S. Tsirkin
2026-06-18 16:07 ` Daniel P. Berrangé [this message]
2026-06-18 16:23 ` Michael S. Tsirkin
2026-06-18 16:33 ` Daniel P. Berrangé
2026-06-18 16:39 ` Michael S. Tsirkin
2026-06-18 16:55 ` Daniel P. Berrangé
2026-06-18 17:03 ` Michael S. Tsirkin
2026-06-18 18:05 ` [qemu-web PATCH v2 0/3] switch to GitLab confidential issues for security disclosure Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajQXrpKNx4NnhUKa@redhat.com \
--to=berrange@redhat.com \
--cc=alex.bennee@linaro.org \
--cc=mcascell@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=pierrick.bouvier@oss.qualcomm.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.