From: Mariano Lopez <mariano.lopez@linux.intel.com>
To: benjamin.esquivel@linux.intel.com,
openembedded-devel@lists.openembedded.org, "Burton,
Ross" <ross.burton@intel.com>,
Sona Sarmadi <sona.sarmadi@enea.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [oe] [RFC] Mark of upstream CVE patches
Date: Fri, 8 Jan 2016 09:22:50 -0600 [thread overview]
Message-ID: <568FD44A.9020801@linux.intel.com> (raw)
In-Reply-To: <1451938621.11986.1.camel@linux.intel.com>
On 01/04/2016 02:17 PM, Benjamin Esquivel wrote:
> On Mon, 2016-01-04 at 12:25 -0600, Mariano Lopez wrote:
>> On 12/16/2015 03:21 AM, Burton, Ross wrote:
>>> On 16 December 2015 at 09:03, Sona Sarmadi <sona.sarmadi@enea.com
>>> <mailto:sona.sarmadi@enea.com>> wrote:
>>>
>>> We are supposed to have reference to the CVE identifier both in
>>> the patch file/s
>>> and the commit message(e.g. xxx- CVE-2013-6435.pacth)
>>> according
>>> to the guidelines
>>> for "Patch name convention and commit message" in the Yocto
>>> Wiki https://wiki.yoctoproject.org/wiki/Security.
>>>
>>> If a patch address multiple CVEs, perhaps we should name the
>>> patch:
>>> Fix-for-multiple-CVEs.patch and list all CVEs in the patch
>>> file.
>>>
>>> Will this not solve the problem? Do you think there is still
>>> need
>>> for a new tag "CVE"?
>>>
>>>
>>> I'd say a new tag is essential if we want to automate tooling, to
>>> reduce the chance of false-positives from simply searching the
>>> patch
>>> for something that looks like a CVE reference.
>>>
>>> Ross
>> The conclusion of this thread is to add the tag "CVE" to the metadata
>> of
>> submitted CVE patches. I will edit the wiki to show this requirement.
> Please let us know when the wiki has the changes reflected :)
You can find it here:
http://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#CVE_Patches
>
>> Mariano
--
Mariano Lopez
prev parent reply other threads:[~2016-01-08 15:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-15 16:03 [RFC] Mark of upstream CVE patches Mariano Lopez
2015-12-15 16:26 ` Otavio Salvador
2015-12-15 16:30 ` Philip Balister
2015-12-15 16:37 ` Richard Purdie
2015-12-15 16:49 ` Philip Balister
2015-12-15 17:13 ` Richard Purdie
2015-12-15 17:17 ` Mariano Lopez
2015-12-16 9:03 ` Sona Sarmadi
2015-12-16 9:21 ` Burton, Ross
2016-01-04 18:25 ` Mariano Lopez
2016-01-04 20:17 ` [oe] " Benjamin Esquivel
2016-01-08 15:22 ` Mariano Lopez [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=568FD44A.9020801@linux.intel.com \
--to=mariano.lopez@linux.intel.com \
--cc=benjamin.esquivel@linux.intel.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=openembedded-devel@lists.openembedded.org \
--cc=ross.burton@intel.com \
--cc=sona.sarmadi@enea.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox