Hello everyone, We have a constant flow of work on pending CVEs. During my discussion with multiple people, there is a common need for synchronization of this work to avoid duplication or forgotten fixes.
We have a decision on the tooling to make: do we want to create a Bugzilla entry for each new open CVE? An alternative is to use a wiki page (this has been prototyped by Ross) with heavy scripting to automate the tedious part. Today I propose you to use a special wiki page and the following procedure: On the wiki page, always add all additional information after a ; sign to allow scripting. The first part of each line (until ";" ) will be auto-generated. The second part contains information about the issue, like who is investigating or what the situation is. There is a separate list for each branch, as we realize that people concentrate on various branches. Workflow: * Mark name of a person preparing a patch for each branch * If you have additional information (like a link to a patch), add it to the record * If a patch is posted to the mailing list, post a link to it (this will be automated) * When a patch reaches the "next" branch, mark it too (this will be automated too) * When the patch reaches the final branch, the line of the CVE is automatically removed (this is already automated) * The list is (re)generated every day Please have a look at the procedure proposal and how the tracking might look like: https://wiki.yoctoproject.org/wiki/Synchronization_CVEs Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189510): https://lists.openembedded.org/g/openembedded-core/message/189510 Mute This Topic: https://lists.openembedded.org/mt/102077364/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-