On Fri, Jun 19, 2026 at 09:22:36AM +0100, Daniel P. Berrangé wrote: > Signed-off-by: Daniel P. Berrangé <[email protected]> > ---
Thanks! something small to improve: > This incorporates the feedback that Michael provided on the > just merged security process changes. > > contribute/security-process.md | 23 ++++++++++++++++------- > 1 file changed, 16 insertions(+), 7 deletions(-) > > diff --git a/contribute/security-process.md b/contribute/security-process.md > index c091fa1..146e9cd 100644 > --- a/contribute/security-process.md > +++ b/contribute/security-process.md > @@ -92,19 +92,28 @@ be scrubbed before disclosure. > > * The maintainer(s) will develop and/or review patch(es) > for the issue privately, optionally attaching work in > - progress fixes to the GitLab issues. All patches must > - include the issue URL in the commit message(s). The > - **"Workflow::In Progress"** label should be assigned when > + progress fixes to the GitLab issues. The > + **"Workflow::In Progress"** label can be assigned when > a maintainer starts working on a fix. > > * When a CVE is allocated, it must be recorded as a comment on > the GitLab issue, and the **"CVE::Required"** label replaced by > the **"CVE::Assigned"** label. > > - * The maintainer(s) will update the commit message(s) to include > - the assigned CVE and issue URL. If multiple commits are required > - to fix an issue the CVE must be included in the final commit in > - the series, and may optionally be included in all prior commits. > + * The maintainer(s) will update the commit message(s) before > + sending a pull request to include the assigned CVE and issue > + URL in the following format: > + > + ``` > + Fixes: CVE-1980-12345 > + Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75 > + Reviewed-by: Not Me <[email protected]> > + Signed-off-by: Some One <[email protected]> > + ``` > + > + If multiple commits are required to fix an issue the CVE must > + be included in the final commit in the series, and may optionally > + be included in all prior commits. And the Fixes tag? Same rule? Thanks! > * When the maintainer(s) are satisfied that the patch(es) are > suitable to propose for merge, they must be submitted to > -- > 2.54.0
