On Thu, Jun 18, 2026 at 05:33:54PM +0100, Daniel P. Berrangé wrote: > On Thu, Jun 18, 2026 at 12:23:46PM -0400, Michael S. Tsirkin wrote: > > thanks! sorry probably just me being dense but some things > > here I don't get. might be worth clarifying: > > > > On Thu, Jun 18, 2026 at 05:07:10PM +0100, Daniel P. Berrangé wrote: > > > On Thu, Jun 18, 2026 at 11:30:29AM -0400, Michael S. Tsirkin wrote: > > > > > + * The maintainer(s) will develop and/or review patch(es) > > > > > + for the issue privately, optionally attaching work in > > > > > + progress fixes to the GitLab issues. > > > > > > > > attaching how? how do i ask reported to test the fix? > > > > was easy in the email flow. > > > > > > You can add arbitrary attachments in gitlab issue comments. > > > > > > > > All patches must > > > > > + include the issue URL in the commit message(s). > > > > > > > > you mean the commit message of the patches I presume? > > > > there's no commit at that point. > > > > > > Well I presume the maintainer will have a local git tree > > > with a work-in-progress commit. > > > > sorry I don't get it. > > > > what does it have to do with patches then? > > > > > > who cares about my local tree? > > If you fix a gitlab issue, the commit must contain the issue URL. > That's normal practice we've followed forever and would now apply > to security fixes too.
Ah. You want a Fixes: tag maybe? Let's say so pls then. > > > > and why is this mentioned twice? > > Mentioning twice is a mistake > > > > > > > The > > > > > + **"Workflow::In Progress"** label should be assigned when > > > > > + a maintainer starts working on a fix. > > > > > > > > That's a bit heavy, and what is "working" anyway. > > > > It's an issue tracker not a planning app. > > > > Don't try to make it one. > > > > > > Various "Workflow::" labels are already present in our gitlab > > > instance. We don't use them consistently - this text is just > > > a pointer that the're there. > > > > > > > maybe "can be assigned" then? > > Ok. > > > > > > > > > > > > > > > > > > > + * When a CVE is allocated, it must be recorded as a comment on > > > > > + the GitLab issue, and the **"CVE::Required"** label replaced by > > > > > + the **"CVE::Assigned"** label. > > > > > > > > Recorded as a comment how exactly, in what format? > > > > > > In plain text. > > > > yes but in what format? > > Literally just "CVE-2026-1234" anywhere in the commit message as we've > been donig for years. I suspect what we've been doing for years no longer scales or we'd keep doing what we've been doing? We desperately need something that is consumable by tooling, and I just do not see how is a tool going to figure out "this seems to be unrelated CVE-123" is irrelevant. Unless we'll feed it to some LLM and hope it's right. > > > > > > + * The maintainer(s) will update the commit message(s) > > > > > > > > what does it mean to "update the commit message"? > > > > > > The commit message for the patch the maintainer has in their > > > tree. > > > > then you mean "before sending a pull request"? > > Sure if you want it to be that specific. > > > > > > to include > > > > > + the assigned CVE and issue URL. If multiple commits are required > > > > > + to fix an issue the CVE must be included in the final commit in > > > > > + the series, and may optionally be included in all prior commits. > > > > > > > > And here, included in what format? > > > > > > The CVE just needs to exist somewhere/anywhere in the commit message. > > > It is common to put it in the first line, or with tags before SoB > > > but it doesn't really matter as long as we have a record of it in > > > the patch. > > > > Will be really annoying if any tools try to consume this e.g. > > to decide what to backport. > > I suggest deciding on something for these free text fields, > > how important is it to be able to write ❤️❤️❤️CVE-1234💰🔥🎯 really? > > I don't think we need to document every single little detail > here, just carry on with what we've already been doing for > commits. > > With regards, > Daniel If commits are linked to CVEs through issues that's fine. Need to make that link robust then. > -- > |: https://berrange.com ~~ https://hachyderm.io/@berrange :| > |: https://libvirt.org ~~ https://entangle-photo.org :| > |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
