From: Alexander Kanavin <alexander.kanavin@linux.intel.com>
To: Paul Eggleton <paul.eggleton@linux.intel.com>,
openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 01/10] openssl: update to 1.0.2e
Date: Fri, 11 Dec 2015 14:18:44 +0200 [thread overview]
Message-ID: <566ABF24.8030807@linux.intel.com> (raw)
In-Reply-To: <11154409.cTsW6tvGPG@peggleto-mobl.ger.corp.intel.com>
On 12/11/2015 01:13 AM, Paul Eggleton wrote:
>> Can we get the CVE's fix by this update included in the commit?
>>
>> It's a version update to oe-core's development branch (e.g.
>> non-production, frequently updated), why have the CVEs in the commit
>> message?
>
> So that it's clearer when a CVE has been resolved, however we ended up
> resolving it. We currently have a massive gap in what we know about CVE
> resolution because upgrades that fix them aren't tracked in any way.
CVE database includes information about which upstream versions are
affected by the vulnerability and which have the fix. We can use this
information in our RRS to determine if there are any CVEs to be fixed
and even send notifications to maintainers.
Asking recipe maintainers to inspect the commit log for any new CVEs
fixed when doing a version update of any package, and then placing those
numbers into the recipe commit message is unnecessary manual work that
is also error-prone.
Alex
next prev parent reply other threads:[~2015-12-11 12:21 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-09 14:40 [PATCH 00/10] Recipe version updates Alexander Kanavin
2015-12-09 14:40 ` [PATCH 01/10] openssl: update to 1.0.2e Alexander Kanavin
2015-12-09 19:52 ` akuster808
2015-12-10 10:50 ` Alexander Kanavin
2015-12-10 23:13 ` Paul Eggleton
2015-12-11 12:18 ` Alexander Kanavin [this message]
2015-12-14 14:34 ` Otavio Salvador
2015-12-15 0:49 ` Khem Raj
2015-12-09 14:40 ` [PATCH 02/10] gnutls: update to 3.4.7 Alexander Kanavin
2015-12-10 22:27 ` Burton, Ross
2015-12-09 14:40 ` [PATCH 03/10] python-setuptools: update to 18.7.1 Alexander Kanavin
2015-12-09 14:40 ` [PATCH 04/10] nspr: update to 4.11 Alexander Kanavin
2015-12-09 14:40 ` [PATCH 05/10] mobile-broadband-provider-info: update to current commit Alexander Kanavin
2015-12-09 14:40 ` [PATCH 06/10] puzzles: " Alexander Kanavin
2015-12-09 14:40 ` [PATCH 07/10] mirrors: replace references to archive.apache.org Alexander Kanavin
2015-12-21 22:21 ` Andre McCurdy
2015-12-22 13:22 ` Alexander Kanavin
2015-12-22 19:52 ` Andre McCurdy
2015-12-09 14:40 ` [PATCH 08/10] json-c: add manual upstream version check Alexander Kanavin
2015-12-09 14:40 ` [PATCH 09/10] subversion: update to 1.9.2 Alexander Kanavin
2015-12-09 14:40 ` [PATCH 10/10] slang: update upstream URI to (official) jedsoft.org Alexander Kanavin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=566ABF24.8030807@linux.intel.com \
--to=alexander.kanavin@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=paul.eggleton@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox