On 19/06/2026 10.41, Daniel P. Berrangé wrote:
On Fri, Jun 19, 2026 at 10:27:33AM +0200, Thomas Huth wrote:
On 19/06/2026 10.22, Daniel P. Berrangé wrote:
Signed-off-by: Daniel P. Berrangé <[email protected]>
---
This incorporates the feedback that Michael provided on the
just merged security process changes.
contribute/security-process.md | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/contribute/security-process.md b/contribute/security-process.md
index c091fa1..146e9cd 100644
--- a/contribute/security-process.md
+++ b/contribute/security-process.md
@@ -92,19 +92,28 @@ be scrubbed before disclosure.
* The maintainer(s) will develop and/or review patch(es)
for the issue privately, optionally attaching work in
- progress fixes to the GitLab issues. All patches must
- include the issue URL in the commit message(s). The
- **"Workflow::In Progress"** label should be assigned when
+ progress fixes to the GitLab issues. The
+ **"Workflow::In Progress"** label can be assigned when
a maintainer starts working on a fix.
* When a CVE is allocated, it must be recorded as a comment on
the GitLab issue, and the **"CVE::Required"** label replaced by
the **"CVE::Assigned"** label.
- * The maintainer(s) will update the commit message(s) to include
- the assigned CVE and issue URL. If multiple commits are required
- to fix an issue the CVE must be included in the final commit in
- the series, and may optionally be included in all prior commits.
+ * The maintainer(s) will update the commit message(s) before
+ sending a pull request to include the assigned CVE and issue
+ URL in the following format:
+
+ ```
+ Fixes: CVE-1980-12345
So far we used "Fixes:" to indicate the commit ID of the patch that
contained the bug. So maybe it's better to use something like "CVE:"
instead?
We've used it alot for CVEs too:
$ git log | grep 'Fixes: CVE' | wc -l
116
Ok, then it's fine for me, too.
Thomas
+ Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/75
Maybe best to use a number here that does not exist, e.g. "42".
Oh yes, good idea.
Thomas
+ Reviewed-by: Not Me <[email protected]>
+ Signed-off-by: Some One <[email protected]>
+ ```
+
+ If multiple commits are required to fix an issue the CVE must
+ be included in the final commit in the series, and may optionally
+ be included in all prior commits.
* When the maintainer(s) are satisfied that the patch(es) are
suitable to propose for merge, they must be submitted to
With regards,
Daniel
