Re: [qemu-web PATCH] security: rework guideline about issue URL / CVE references

["Daniel P. Berrangé" <berrange@redhat.com>]

On Fri, Jun 19, 2026 at 10:27:33AM +0200, Thomas Huth wrote:
> On 19/06/2026 10.22, Daniel P. Berrangé wrote:
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > 
> > This incorporates the feedback that Michael provided on the
> > just merged security process changes.
> > 
> >   contribute/security-process.md | 23 ++++++++++++++++-------
> >   1 file changed, 16 insertions(+), 7 deletions(-)
> > 
> > diff --git a/contribute/security-process.md b/contribute/security-process.md
> > index c091fa1..146e9cd 100644
> > --- a/contribute/security-process.md
> > +++ b/contribute/security-process.md
> > @@ -92,19 +92,28 @@ be scrubbed before disclosure.
> >    * The maintainer(s) will develop and/or review patch(es)
> >      for the issue privately, optionally attaching work in
> > -   progress fixes to the GitLab issues. All patches must
> > -   include the issue URL in the commit message(s). The
> > -   **"Workflow::In Progress"** label should be assigned when
> > +   progress fixes to the GitLab issues. The
> > +   **"Workflow::In Progress"** label can be assigned when
> >      a maintainer starts working on a fix.
> >    * When a CVE is allocated, it must be recorded as a comment on
> >      the GitLab issue, and the **"CVE::Required"** label replaced by
> >      the **"CVE::Assigned"** label.
> > - * The maintainer(s) will update the commit message(s) to include
> > -   the assigned CVE and issue URL. If multiple commits are required
> > -   to fix an issue the CVE must be included in the final commit in
> > -   the series, and may optionally be included in all prior commits.
> > + * The maintainer(s) will update the commit message(s) before
> > +   sending a pull request to include the assigned CVE and issue
> > +   URL in the following format:
> > +
> > +     ```
> > +     Fixes: CVE-1980-12345
> 
> So far we used "Fixes:" to indicate the commit ID of the patch that
> contained the bug. So maybe it's better to use something like "CVE:"
> instead?

We've used it alot for CVEs too:

  $ git log | grep 'Fixes: CVE'  | wc -l
  116


> > +     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
> 
> Maybe best to use a number here that does not exist, e.g. "42".

Oh yes, good idea.

> 
>  Thomas
> 
> 
> > +     Reviewed-by: Not Me <notme@elsewhere.com>
> > +     Signed-off-by: Some One <someone@somewhere.com>
> > +     ```
> > +
> > +   If multiple commits are required to fix an issue the CVE must
> > +   be included in the final commit in the series, and may optionally
> > +   be included in all prior commits.
> >    * When the maintainer(s) are satisfied that the patch(es) are
> >      suitable to propose for merge, they must be submitted to
> 

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|