On Tue, Oct 31, 2023 at 7:31 PM Marta Rybczynska <rybczyn...@gmail.com> wrote: > > > > > On Wed, 1 Nov 2023, 11:48 Anuj Mittal, <anuj.mit...@intel.com> wrote: >> >> On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote: >> > >> > >> > On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal <anuj.mit...@intel.com> >> > wrote: >> > > On Tue, 2023-10-31 at 14:20 +0000, Trevor Gamblin wrote: >> > > > Thank you for your submission. Patchtest identified one >> > > > or more issues with the patch. Please see the log below for >> > > > more information: >> > > > >> > > > --- >> > > > Testing patch /home/patchtest/share/mboxes/patchtest-shorten- >> > > > test- >> > > > result-outputs.patch >> > > > >> > > > FAIL: test CVE presence in commit message: A CVE tag should be >> > > > provided in the commit message with format: "CVE: CVE-YYYY-XXXX" >> > > > (test_mbox.TestMbox.test_cve_presence_in_commit_message) >> > > >> > > Is this a requirement to have this in commit message in this >> > > format? I >> > > don't think this was being followed until now. A lot of patches >> > > seem to >> > > be failing this test as a result. >> > > >> > >> > >> > This was required when patchtest was running previously. It has been >> > ignored for a while now, but that does not mean we should not enforce >> > it. It should be documented as required. >> > >> > The tags allow for machines to parse the relevant info. Anything else >> > is purely random and chaos. >> >> The tag is already required to be present in the CVE patch itself which >> is/can be parsed by scripts which actually I think is a better way of >> detecting whether a CVE is patched rather than looking at commit >> messages. >> >> If having it in a specific format in commit message as well helps, >> sure. It shouldn't take time to add it but we seem to be adding too >> many rules ... >> > > (adding Steve) > > I agree with Anuj, and I do not remember seeing a rule to put the > CVE number in the commit message. We already have it in the > patch file name (recommended) and inside the patch file itself. > Those two places are enough in my opinion. In fact, it will likely > be there in the commit message (its title), so repeating it does > not make much logical sense. > > In fact, I have an update of the manual with more detailed information > on submitting CVE fixes and looking for a resolution of this question > to submit it :) > > Steve, does such additional tag in the commit message make it > easier for you?
No. In most cases it seems to add no value, since the cve number is already in the shortlog, the filename of the patch(es), and the CVE tag in the patch file(s). I haven't been requiring it, so have no issue with removing that test in patchtest. Steve
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189913): https://lists.openembedded.org/g/openembedded-core/message/189913 Mute This Topic: https://lists.openembedded.org/mt/102275009/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
