On Fri, Jun 19, 2026 at 10:27:33AM +0200, Thomas Huth wrote: > On 19/06/2026 10.22, Daniel P. Berrangé wrote: > > Signed-off-by: Daniel P. Berrangé <[email protected]> > > --- > > > > This incorporates the feedback that Michael provided on the > > just merged security process changes. > > > > contribute/security-process.md | 23 ++++++++++++++++------- > > 1 file changed, 16 insertions(+), 7 deletions(-) > > > > diff --git a/contribute/security-process.md b/contribute/security-process.md > > index c091fa1..146e9cd 100644 > > --- a/contribute/security-process.md > > +++ b/contribute/security-process.md > > @@ -92,19 +92,28 @@ be scrubbed before disclosure. > > * The maintainer(s) will develop and/or review patch(es) > > for the issue privately, optionally attaching work in > > - progress fixes to the GitLab issues. All patches must > > - include the issue URL in the commit message(s). The > > - **"Workflow::In Progress"** label should be assigned when > > + progress fixes to the GitLab issues. The > > + **"Workflow::In Progress"** label can be assigned when > > a maintainer starts working on a fix. > > * When a CVE is allocated, it must be recorded as a comment on > > the GitLab issue, and the **"CVE::Required"** label replaced by > > the **"CVE::Assigned"** label. > > - * The maintainer(s) will update the commit message(s) to include > > - the assigned CVE and issue URL. If multiple commits are required > > - to fix an issue the CVE must be included in the final commit in > > - the series, and may optionally be included in all prior commits. > > + * The maintainer(s) will update the commit message(s) before > > + sending a pull request to include the assigned CVE and issue > > + URL in the following format: > > + > > + ``` > > + Fixes: CVE-1980-12345 > > So far we used "Fixes:" to indicate the commit ID of the patch that > contained the bug. So maybe it's better to use something like "CVE:" > instead?
We've used it alot for CVEs too: $ git log | grep 'Fixes: CVE' | wc -l 116 > > + Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75 > > Maybe best to use a number here that does not exist, e.g. "42". Oh yes, good idea. > > Thomas > > > > + Reviewed-by: Not Me <[email protected]> > > + Signed-off-by: Some One <[email protected]> > > + ``` > > + > > + If multiple commits are required to fix an issue the CVE must > > + be included in the final commit in the series, and may optionally > > + be included in all prior commits. > > * When the maintainer(s) are satisfied that the patch(es) are > > suitable to propose for merge, they must be submitted to > With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
