> I'd suggest that patches/apply_to_x.y.z/ is a clumsy notation. It seems > more efficient to set these up as patches/CVE-yyyy-iiii/ with individual > files for actively (or semi-actively) maintained versions. If there is > one patch which applies to 2.2.n < 2.2.17, and a second patch for 2.2.17 > and higher, it would be easier to differentiate these all within one > directory.
The current scheme has one benefit in that a responsible user on the latest release has a one-stop shop for "What do I need to add?". With the CVE as the directory, they'd have to start with some other resource/hint or browse through the descriptions/patches.
