Signed-off-by: Daniel P. Berrangé <[email protected]>
---
This incorporates the feedback that Michael provided on the
just merged security process changes.
contribute/security-process.md | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/contribute/security-process.md b/contribute/security-process.md
index c091fa1..146e9cd 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -92,19 +92,28 @@ be scrubbed before disclosure.
* The maintainer(s) will develop and/or review patch(es)
for the issue privately, optionally attaching work in
- progress fixes to the GitLab issues. All patches must
- include the issue URL in the commit message(s). The
- **"Workflow::In Progress"** label should be assigned when
+ progress fixes to the GitLab issues. The
+ **"Workflow::In Progress"** label can be assigned when
a maintainer starts working on a fix.
* When a CVE is allocated, it must be recorded as a comment on
the GitLab issue, and the **"CVE::Required"** label replaced by
the **"CVE::Assigned"** label.
- * The maintainer(s) will update the commit message(s) to include
- the assigned CVE and issue URL. If multiple commits are required
- to fix an issue the CVE must be included in the final commit in
- the series, and may optionally be included in all prior commits.
+ * The maintainer(s) will update the commit message(s) before
+ sending a pull request to include the assigned CVE and issue
+ URL in the following format:
+
+ ```
+ Fixes: CVE-1980-12345
+ Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
+ Reviewed-by: Not Me <[email protected]>
+ Signed-off-by: Some One <[email protected]>
+ ```
+
+ If multiple commits are required to fix an issue the CVE must
+ be included in the final commit in the series, and may optionally
+ be included in all prior commits.
* When the maintainer(s) are satisfied that the patch(es) are
suitable to propose for merge, they must be submitted to
--
2.54.0
