On 2023-11-01 09:48, Steve Sakoman wrote:
On Tue, Oct 31, 2023 at 7:31 PM Marta Rybczynska <rybczyn...@gmail.com> wrote:
On Wed, 1 Nov 2023, 11:48 Anuj Mittal, <anuj.mit...@intel.com> wrote:
On Tue, 2023-10-31 at 19:33 -0700, Tim Orling wrote:
On Tue, Oct 31, 2023 at 7:26 PM Anuj Mittal <anuj.mit...@intel.com>
wrote:
On Tue, 2023-10-31 at 14:20 +0000, Trevor Gamblin wrote:
Thank you for your submission. Patchtest identified one
or more issues with the patch. Please see the log below for
more information:
---
Testing patch /home/patchtest/share/mboxes/patchtest-shorten-
test-
result-outputs.patch
FAIL: test CVE presence in commit message: A CVE tag should be
provided in the commit message with format: "CVE: CVE-YYYY-XXXX"
(test_mbox.TestMbox.test_cve_presence_in_commit_message)
Is this a requirement to have this in commit message in this
format? I
don't think this was being followed until now. A lot of patches
seem to
be failing this test as a result.
This was required when patchtest was running previously. It has been
ignored for a while now, but that does not mean we should not enforce
it. It should be documented as required.
The tags allow for machines to parse the relevant info. Anything else
is purely random and chaos.
The tag is already required to be present in the CVE patch itself which
is/can be parsed by scripts which actually I think is a better way of
detecting whether a CVE is patched rather than looking at commit
messages.
If having it in a specific format in commit message as well helps,
sure. It shouldn't take time to add it but we seem to be adding too
many rules ...
(adding Steve)
I agree with Anuj, and I do not remember seeing a rule to put the
CVE number in the commit message. We already have it in the
patch file name (recommended) and inside the patch file itself.
Those two places are enough in my opinion. In fact, it will likely
be there in the commit message (its title), so repeating it does
not make much logical sense.
In fact, I have an update of the manual with more detailed information
on submitting CVE fixes and looking for a resolution of this question
to submit it :)
Steve, does such additional tag in the commit message make it
easier for you?
No. In most cases it seems to add no value, since the cve number is
already in the shortlog, the filename of the patch(es), and the CVE
tag in the patch file(s).
I haven't been requiring it, so have no issue with removing that test
in patchtest.
I've got a patch ready to do this, just letting the selftests run to
ensure nothing's broken before submission.
Steve
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189915):
https://lists.openembedded.org/g/openembedded-core/message/189915
Mute This Topic: https://lists.openembedded.org/mt/102275009/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
