From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: rybczynska@gmail.com, Ross Burton <Ross.Burton@arm.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
Marta Rybczynska <marta.rybczynska@syslinbit.com>
Subject: Re: [OE-core][PATCH v3 5/5] cve-extra-exclusions.inc: add deprecation notice
Date: Thu, 01 Aug 2024 14:47:55 +0100 [thread overview]
Message-ID: <606d5852aec8e7bb29350cfb27aa3df8f706dc72.camel@linuxfoundation.org> (raw)
In-Reply-To: <CAApg2=S_2uiyd=g2Zn6RQBvBxDc-iRKFSZmpWBZWJx1M0RjYgQ@mail.gmail.com>
On Fri, 2024-07-26 at 14:28 +0200, Marta Rybczynska via
lists.openembedded.org wrote:
>
>
> On Fri, Jul 26, 2024 at 2:24 PM Ross Burton <Ross.Burton@arm.com>
> wrote:
> > On 24 Jul 2024, at 16:25, Marta Rybczynska via
> > lists.openembedded.org
> > <rybczynska=gmail.com@lists.openembedded.org> wrote:
> > >
> > > This file contains CVE_STATUS without machine-readable
> > > information on which
> > > recipe it applies to. All entries should be verified and, if
> > > appropriate,
> > > moved to their corresponding recipes.
> >
> > The point of this file was to be an opt-in for more exclusions
> > where we didn’t feel 100% confident asserting the issues could be
> > ignored.
> >
> > How much of a problem is it if this file contains a a limited
> > number of CVEs? We can review what is in there and move/remove as
> > needed to cut it down.
>
> With the vex class (and with SPDX too, I think) they end up copied
> present in every single package of the build. This brings enormous
> confusion.
> Impossible to filter them out as there is no information about the
> affected recipe/package.
Difficult, yes, impossible, no.
Surely we know which recipes a given CVE apply to?
Cheers,
Richard
next prev parent reply other threads:[~2024-08-01 13:48 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 15:25 [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 2/5] cve_check: Update selftest with new status detail Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 3/5] vex.bbclass: add a new class Marta Rybczynska
2024-07-26 12:09 ` Ross Burton
2024-07-26 12:12 ` Ross Burton
2024-07-26 12:23 ` Marta Rybczynska
2024-07-26 12:22 ` Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 4/5] cve-check-map: add new statuses Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 5/5] cve-extra-exclusions.inc: add deprecation notice Marta Rybczynska
2024-07-26 12:23 ` Ross Burton
2024-07-26 12:28 ` Marta Rybczynska
2024-08-01 13:47 ` Richard Purdie [this message]
2024-08-01 13:58 ` Marta Rybczynska
2024-08-01 14:08 ` Richard Purdie
2024-08-06 13:16 ` Marta Rybczynska
2024-08-06 13:30 ` Richard Purdie
2024-07-24 15:41 ` Patchtest results for [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis patchtest
2024-07-25 14:29 ` Richard Purdie
[not found] ` <399979010dfd02323f49cbd25b95f606@syslinbit.com>
2024-07-25 15:27 ` Richard Purdie
2024-07-26 13:02 ` Marta Rybczynska
2024-08-01 14:25 ` Richard Purdie
2024-08-02 12:50 ` Marta Rybczynska
2024-08-02 13:00 ` Richard Purdie
2024-08-01 13:44 ` Richard Purdie
2024-08-01 14:14 ` Marko, Peter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=606d5852aec8e7bb29350cfb27aa3df8f706dc72.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=Ross.Burton@arm.com \
--cc=marta.rybczynska@syslinbit.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=rybczynska@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox