On Fri, Jun 19, 2026 at 10:15:08AM +0100, Daniel P. Berrangé wrote: > Signed-off-by: Daniel P. Berrangé <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]> > --- > > In v2: > > - Use non-existing issue number as example > - Mention both issue URL and CVE to be optionally included > in all commit messages in a series > > contribute/security-process.md | 23 ++++++++++++++++------- > 1 file changed, 16 insertions(+), 7 deletions(-) > > diff --git a/contribute/security-process.md b/contribute/security-process.md > index c091fa1..0ec1952 100644 > --- a/contribute/security-process.md > +++ b/contribute/security-process.md > @@ -92,19 +92,28 @@ be scrubbed before disclosure. > > * The maintainer(s) will develop and/or review patch(es) > for the issue privately, optionally attaching work in > - progress fixes to the GitLab issues. All patches must > - include the issue URL in the commit message(s). The > - **"Workflow::In Progress"** label should be assigned when > + progress fixes to the GitLab issues. The > + **"Workflow::In Progress"** label can be assigned when > a maintainer starts working on a fix. > > * When a CVE is allocated, it must be recorded as a comment on > the GitLab issue, and the **"CVE::Required"** label replaced by > the **"CVE::Assigned"** label. > > - * The maintainer(s) will update the commit message(s) to include > - the assigned CVE and issue URL. If multiple commits are required > - to fix an issue the CVE must be included in the final commit in > - the series, and may optionally be included in all prior commits. > + * The maintainer(s) will update the commit message(s) before > + sending a pull request to include the assigned CVE and issue > + URL in the following format: > + > + ``` > + Fixes: CVE-1980-12345 > + Resolves: https://gitlab.com/qemu-project/qemu/-/work_items/42 > + Reviewed-by: Not Me <[email protected]> > + Signed-off-by: Some One <[email protected]> > + ``` > + > + If multiple commits are required to fix an issue the CVE & issue > + URL must be included in the final commit in the series, and may > + optionally be included in all prior commits. > > * When the maintainer(s) are satisfied that the patch(es) are > suitable to propose for merge, they must be submitted to > -- > 2.54.0
