From: Luca Boccassi <bl...@debian.org> Allow more flexibility with embargo lifting by not requiring mentions of CVEs in commit messages if the lift date allows it.
Signed-off-by: Luca Boccassi <bl...@debian.org> --- doc/guides/contributing/vulnerability.rst | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst index b6300252ad..fc60e02e37 100644 --- a/doc/guides/contributing/vulnerability.rst +++ b/doc/guides/contributing/vulnerability.rst @@ -170,7 +170,10 @@ The patches fixing the vulnerability are developed and reviewed by the security team and by elected area experts that agree to maintain confidentiality. -The CVE id and the bug id must be referenced in the patch. +The CVE id and the bug id must be referenced in the patch if there is no +embargo, or if there is an embargo, but it will be lifted when the release +including the patch is published. If the embargo is going to be lifted after the +release, then the CVE and bug ids must be omitted from the commit message. Backports to the identified affected versions are done once the fix is ready. -- 2.34.1
