Re: [OE-core] [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS

["Yoann Congal" <yoann.congal@smile.fr>]

On Tue Mar 3, 2026 at 10:09 AM CET, Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote:
> Gentle reminder.

Hello,

Sorry but I have to reject the series.

The LTS policy is restricted to bugfixes and security updates. A
significant portion of these patches introduce new features or
refactoring, which increases regression risk.

Please split the series and resubmit only the bugfixes if that makes
sense for you.

Regards,

> ________________________________
> From: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) <hetpat@cisco.com>
> Sent: Monday, February 23, 2026 6:01 PM
> To: Paul Barker <paul@pbarker.dev>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>
> Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Viral Chavda (vchavda) <vchavda@cisco.com>; Yoann Congal <yoann.congal@smile.fr>
> Subject: Re: [OE-core] [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS
>
> Hi Paul,
>
> Yes, all patches in your series are present on both the whinlatter branch and master. These patches have been cherry‑picked directly from the master branch. Their primary purpose is to migrate the CVE reporting files in the scarthgap branch so that they align with the master implementation.
>
> I have attached a comparison of the CVE reports generated on the scarthgap branch before and after the migration. As shown, several additional fields are included in the post‑migration report, such as "patch-file", and "detail": "version-not-in-range". With these changes, the CVE report format in scarthgap now closely matches the format used in the master branch.
>
> Please let me know if you have any questions or need further clarification.
>
> Kind regards,
> Het Patel.
>
> [cid:9392158e-5418-49ae-ac27-40de739c7c02]
>
> ________________________________
> From: Paul Barker
> Sent: Monday, February 23, 2026 3:16 PM
> To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco); openembedded-core@lists.openembedded.org
> Cc: xe-linux-external(mailer list); Viral Chavda (vchavda); Yoann Congal
> Subject: Re: [OE-core] [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS
>
> On Thu, 2026-02-19 at 21:34 -0800, Het Patel via lists.openembedded.org
> wrote:
>> From: Marta Rybczynska <rybczynska@gmail.com>
>>
>> CVE_STATUS contains assesment of a given CVE, but until now it didn't have
>> include the affected vendor/product. In the case of a global system include,
>> that CVE_STATUS was visible in all recipes.
>>
>> This patch allows encoding of affected product/vendor to each CVE_STATUS
>> assessment, also for groups. We can then filter them later and use only
>> CVEs that correspond to the recipe.
>>
>> This is going to be used in meta/conf/distro/include/cve-extra-exclusions.inc
>> and similar places.
>>
>> Backport Changes:
>> - Discarded the changes to meta/lib/oe/spdx30_tasks.py, as the
>> commit history for this file diverges from the base commit
>> itself (9c9b9545049a in the scarthgap branch).
>> - Additionally, the changes do not introduce any major features
>> and are primarily focused on code restructuring.
>>
>> Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
>> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
>> (cherry picked from commit abca80a716e92fc18d3085aba1a15f4bac72379c)
>> Signed-off-by: Het Patel <hetpat@cisco.com>
>
> Hi,
>
> When sending a long list of backport patches like this, please include a
> cover letter explaining the benefit you see to having these on the
> stable branch and include some test results.
>
> Have you confirmed that all the patches in your series are also on the
> whinlatter branch as well as master?
>
> Best regards,
>
> --
> Paul Barker


-- 
Yoann Congal
Smile ECS