[qemu-web PATCH] security: rework guideline about issue URL / CVE references

All of lore.kernel.org
 help / color / mirror / Atom feed

* [qemu-web PATCH] security: rework guideline about issue URL / CVE references
@ 2026-06-19  8:22 Daniel P. Berrangé
  2026-06-19  8:27 ` Thomas Huth
  2026-06-19  8:27 ` Michael S. Tsirkin
  0 siblings, 2 replies; 5+ messages in thread
From: Daniel P. Berrangé @ 2026-06-19  8:22 UTC (permalink / raw)
  To: qemu-devel
  Cc: Thomas Huth, Michael S. Tsirkin, Paolo Bonzini,
	Daniel P. Berrangé

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---

This incorporates the feedback that Michael provided on the
just merged security process changes.

 contribute/security-process.md | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/contribute/security-process.md b/contribute/security-process.md
index c091fa1..146e9cd 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -92,19 +92,28 @@ be scrubbed before disclosure.
 
  * The maintainer(s) will develop and/or review patch(es)
    for the issue privately, optionally attaching work in
-   progress fixes to the GitLab issues. All patches must
-   include the issue URL in the commit message(s). The
-   **"Workflow::In Progress"** label should be assigned when
+   progress fixes to the GitLab issues. The
+   **"Workflow::In Progress"** label can be assigned when
    a maintainer starts working on a fix.
 
  * When a CVE is allocated, it must be recorded as a comment on
    the GitLab issue, and the **"CVE::Required"** label replaced by
    the **"CVE::Assigned"** label.
 
- * The maintainer(s) will update the commit message(s) to include
-   the assigned CVE and issue URL. If multiple commits are required
-   to fix an issue the CVE must be included in the final commit in
-   the series, and may optionally be included in all prior commits.
+ * The maintainer(s) will update the commit message(s) before
+   sending a pull request to include the assigned CVE and issue
+   URL in the following format:
+
+     ```
+     Fixes: CVE-1980-12345
+     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
+     Reviewed-by: Not Me <notme@elsewhere.com>
+     Signed-off-by: Some One <someone@somewhere.com>
+     ```
+
+   If multiple commits are required to fix an issue the CVE must
+   be included in the final commit in the series, and may optionally
+   be included in all prior commits.
 
  * When the maintainer(s) are satisfied that the patch(es) are
    suitable to propose for merge, they must be submitted to
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [qemu-web PATCH] security: rework guideline about issue URL / CVE references
  2026-06-19  8:22 [qemu-web PATCH] security: rework guideline about issue URL / CVE references Daniel P. Berrangé
@ 2026-06-19  8:27 ` Thomas Huth
  2026-06-19  8:41   ` Daniel P. Berrangé
  2026-06-19  8:27 ` Michael S. Tsirkin
  1 sibling, 1 reply; 5+ messages in thread
From: Thomas Huth @ 2026-06-19  8:27 UTC (permalink / raw)
  To: Daniel P. Berrangé, qemu-devel; +Cc: Michael S. Tsirkin, Paolo Bonzini

On 19/06/2026 10.22, Daniel P. Berrangé wrote:
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> 
> This incorporates the feedback that Michael provided on the
> just merged security process changes.
> 
>   contribute/security-process.md | 23 ++++++++++++++++-------
>   1 file changed, 16 insertions(+), 7 deletions(-)
> 
> diff --git a/contribute/security-process.md b/contribute/security-process.md
> index c091fa1..146e9cd 100644
> --- a/contribute/security-process.md
> +++ b/contribute/security-process.md
> @@ -92,19 +92,28 @@ be scrubbed before disclosure.
>   
>    * The maintainer(s) will develop and/or review patch(es)
>      for the issue privately, optionally attaching work in
> -   progress fixes to the GitLab issues. All patches must
> -   include the issue URL in the commit message(s). The
> -   **"Workflow::In Progress"** label should be assigned when
> +   progress fixes to the GitLab issues. The
> +   **"Workflow::In Progress"** label can be assigned when
>      a maintainer starts working on a fix.
>   
>    * When a CVE is allocated, it must be recorded as a comment on
>      the GitLab issue, and the **"CVE::Required"** label replaced by
>      the **"CVE::Assigned"** label.
>   
> - * The maintainer(s) will update the commit message(s) to include
> -   the assigned CVE and issue URL. If multiple commits are required
> -   to fix an issue the CVE must be included in the final commit in
> -   the series, and may optionally be included in all prior commits.
> + * The maintainer(s) will update the commit message(s) before
> +   sending a pull request to include the assigned CVE and issue
> +   URL in the following format:
> +
> +     ```
> +     Fixes: CVE-1980-12345

So far we used "Fixes:" to indicate the commit ID of the patch that 
contained the bug. So maybe it's better to use something like "CVE:" instead?

> +     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75

Maybe best to use a number here that does not exist, e.g. "42".

  Thomas


> +     Reviewed-by: Not Me <notme@elsewhere.com>
> +     Signed-off-by: Some One <someone@somewhere.com>
> +     ```
> +
> +   If multiple commits are required to fix an issue the CVE must
> +   be included in the final commit in the series, and may optionally
> +   be included in all prior commits.
>   
>    * When the maintainer(s) are satisfied that the patch(es) are
>      suitable to propose for merge, they must be submitted to



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [qemu-web PATCH] security: rework guideline about issue URL / CVE references
  2026-06-19  8:27 ` Thomas Huth
@ 2026-06-19  8:41   ` Daniel P. Berrangé
  2026-06-19  8:45     ` Thomas Huth
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel P. Berrangé @ 2026-06-19  8:41 UTC (permalink / raw)
  To: Thomas Huth; +Cc: qemu-devel, Michael S. Tsirkin, Paolo Bonzini

On Fri, Jun 19, 2026 at 10:27:33AM +0200, Thomas Huth wrote:
> On 19/06/2026 10.22, Daniel P. Berrangé wrote:
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > 
> > This incorporates the feedback that Michael provided on the
> > just merged security process changes.
> > 
> >   contribute/security-process.md | 23 ++++++++++++++++-------
> >   1 file changed, 16 insertions(+), 7 deletions(-)
> > 
> > diff --git a/contribute/security-process.md b/contribute/security-process.md
> > index c091fa1..146e9cd 100644
> > --- a/contribute/security-process.md
> > +++ b/contribute/security-process.md
> > @@ -92,19 +92,28 @@ be scrubbed before disclosure.
> >    * The maintainer(s) will develop and/or review patch(es)
> >      for the issue privately, optionally attaching work in
> > -   progress fixes to the GitLab issues. All patches must
> > -   include the issue URL in the commit message(s). The
> > -   **"Workflow::In Progress"** label should be assigned when
> > +   progress fixes to the GitLab issues. The
> > +   **"Workflow::In Progress"** label can be assigned when
> >      a maintainer starts working on a fix.
> >    * When a CVE is allocated, it must be recorded as a comment on
> >      the GitLab issue, and the **"CVE::Required"** label replaced by
> >      the **"CVE::Assigned"** label.
> > - * The maintainer(s) will update the commit message(s) to include
> > -   the assigned CVE and issue URL. If multiple commits are required
> > -   to fix an issue the CVE must be included in the final commit in
> > -   the series, and may optionally be included in all prior commits.
> > + * The maintainer(s) will update the commit message(s) before
> > +   sending a pull request to include the assigned CVE and issue
> > +   URL in the following format:
> > +
> > +     ```
> > +     Fixes: CVE-1980-12345
> 
> So far we used "Fixes:" to indicate the commit ID of the patch that
> contained the bug. So maybe it's better to use something like "CVE:"
> instead?

We've used it alot for CVEs too:

  $ git log | grep 'Fixes: CVE'  | wc -l
  116


> > +     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
> 
> Maybe best to use a number here that does not exist, e.g. "42".

Oh yes, good idea.

> 
>  Thomas
> 
> 
> > +     Reviewed-by: Not Me <notme@elsewhere.com>
> > +     Signed-off-by: Some One <someone@somewhere.com>
> > +     ```
> > +
> > +   If multiple commits are required to fix an issue the CVE must
> > +   be included in the final commit in the series, and may optionally
> > +   be included in all prior commits.
> >    * When the maintainer(s) are satisfied that the patch(es) are
> >      suitable to propose for merge, they must be submitted to
> 

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [qemu-web PATCH] security: rework guideline about issue URL / CVE references
  2026-06-19  8:41   ` Daniel P. Berrangé
@ 2026-06-19  8:45     ` Thomas Huth
  0 siblings, 0 replies; 5+ messages in thread
From: Thomas Huth @ 2026-06-19  8:45 UTC (permalink / raw)
  To: Daniel P. Berrangé; +Cc: qemu-devel, Michael S. Tsirkin, Paolo Bonzini

On 19/06/2026 10.41, Daniel P. Berrangé wrote:
> On Fri, Jun 19, 2026 at 10:27:33AM +0200, Thomas Huth wrote:
>> On 19/06/2026 10.22, Daniel P. Berrangé wrote:
>>> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
>>> ---
>>>
>>> This incorporates the feedback that Michael provided on the
>>> just merged security process changes.
>>>
>>>    contribute/security-process.md | 23 ++++++++++++++++-------
>>>    1 file changed, 16 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/contribute/security-process.md b/contribute/security-process.md
>>> index c091fa1..146e9cd 100644
>>> --- a/contribute/security-process.md
>>> +++ b/contribute/security-process.md
>>> @@ -92,19 +92,28 @@ be scrubbed before disclosure.
>>>     * The maintainer(s) will develop and/or review patch(es)
>>>       for the issue privately, optionally attaching work in
>>> -   progress fixes to the GitLab issues. All patches must
>>> -   include the issue URL in the commit message(s). The
>>> -   **"Workflow::In Progress"** label should be assigned when
>>> +   progress fixes to the GitLab issues. The
>>> +   **"Workflow::In Progress"** label can be assigned when
>>>       a maintainer starts working on a fix.
>>>     * When a CVE is allocated, it must be recorded as a comment on
>>>       the GitLab issue, and the **"CVE::Required"** label replaced by
>>>       the **"CVE::Assigned"** label.
>>> - * The maintainer(s) will update the commit message(s) to include
>>> -   the assigned CVE and issue URL. If multiple commits are required
>>> -   to fix an issue the CVE must be included in the final commit in
>>> -   the series, and may optionally be included in all prior commits.
>>> + * The maintainer(s) will update the commit message(s) before
>>> +   sending a pull request to include the assigned CVE and issue
>>> +   URL in the following format:
>>> +
>>> +     ```
>>> +     Fixes: CVE-1980-12345
>>
>> So far we used "Fixes:" to indicate the commit ID of the patch that
>> contained the bug. So maybe it's better to use something like "CVE:"
>> instead?
> 
> We've used it alot for CVEs too:
> 
>    $ git log | grep 'Fixes: CVE'  | wc -l
>    116

Ok, then it's fine for me, too.

  Thomas


> 
>>> +     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
>>
>> Maybe best to use a number here that does not exist, e.g. "42".
> 
> Oh yes, good idea.
> 
>>
>>   Thomas
>>
>>
>>> +     Reviewed-by: Not Me <notme@elsewhere.com>
>>> +     Signed-off-by: Some One <someone@somewhere.com>
>>> +     ```
>>> +
>>> +   If multiple commits are required to fix an issue the CVE must
>>> +   be included in the final commit in the series, and may optionally
>>> +   be included in all prior commits.
>>>     * When the maintainer(s) are satisfied that the patch(es) are
>>>       suitable to propose for merge, they must be submitted to
>>
> 
> With regards,
> Daniel



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [qemu-web PATCH] security: rework guideline about issue URL / CVE references
  2026-06-19  8:22 [qemu-web PATCH] security: rework guideline about issue URL / CVE references Daniel P. Berrangé
  2026-06-19  8:27 ` Thomas Huth
@ 2026-06-19  8:27 ` Michael S. Tsirkin
  1 sibling, 0 replies; 5+ messages in thread
From: Michael S. Tsirkin @ 2026-06-19  8:27 UTC (permalink / raw)
  To: Daniel P. Berrangé; +Cc: qemu-devel, Thomas Huth, Paolo Bonzini

On Fri, Jun 19, 2026 at 09:22:36AM +0100, Daniel P. Berrangé wrote:
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---

Thanks! something small to improve:

> This incorporates the feedback that Michael provided on the
> just merged security process changes.
> 
>  contribute/security-process.md | 23 ++++++++++++++++-------
>  1 file changed, 16 insertions(+), 7 deletions(-)
> 
> diff --git a/contribute/security-process.md b/contribute/security-process.md
> index c091fa1..146e9cd 100644
> --- a/contribute/security-process.md
> +++ b/contribute/security-process.md
> @@ -92,19 +92,28 @@ be scrubbed before disclosure.
>  
>   * The maintainer(s) will develop and/or review patch(es)
>     for the issue privately, optionally attaching work in
> -   progress fixes to the GitLab issues. All patches must
> -   include the issue URL in the commit message(s). The
> -   **"Workflow::In Progress"** label should be assigned when
> +   progress fixes to the GitLab issues. The
> +   **"Workflow::In Progress"** label can be assigned when
>     a maintainer starts working on a fix.
>  
>   * When a CVE is allocated, it must be recorded as a comment on
>     the GitLab issue, and the **"CVE::Required"** label replaced by
>     the **"CVE::Assigned"** label.
>  
> - * The maintainer(s) will update the commit message(s) to include
> -   the assigned CVE and issue URL. If multiple commits are required
> -   to fix an issue the CVE must be included in the final commit in
> -   the series, and may optionally be included in all prior commits.
> + * The maintainer(s) will update the commit message(s) before
> +   sending a pull request to include the assigned CVE and issue
> +   URL in the following format:
> +
> +     ```
> +     Fixes: CVE-1980-12345
> +     Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
> +     Reviewed-by: Not Me <notme@elsewhere.com>
> +     Signed-off-by: Some One <someone@somewhere.com>
> +     ```
> +
> +   If multiple commits are required to fix an issue the CVE must
> +   be included in the final commit in the series, and may optionally
> +   be included in all prior commits.

And the Fixes tag? Same rule?

Thanks!

>   * When the maintainer(s) are satisfied that the patch(es) are
>     suitable to propose for merge, they must be submitted to
> -- 
> 2.54.0



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-06-19  8:46 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-19  8:22 [qemu-web PATCH] security: rework guideline about issue URL / CVE references Daniel P. Berrangé
2026-06-19  8:27 ` Thomas Huth
2026-06-19  8:41   ` Daniel P. Berrangé
2026-06-19  8:45     ` Thomas Huth
2026-06-19  8:27 ` Michael S. Tsirkin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.