Re: Bug#908678: Some more thoughts and some tests on the security-tracker git repo

[Salvatore Bonaccorso]

Hi,

[not contributing right now with ideas, just giving one important
datapoint to me to the discussion]

On Wed, Sep 26, 2018 at 03:15:14PM +0200, Guido Günther wrote:
> Not necessarily. Maybe a graft would do:
> 
> 
> https://developer.atlassian.com/blog/2015/08/grafting-earlier-history-with-git/
> 
> This is IMHO preferable over history rewrites. I've used this to tie
> histories in the past. I've not used "git replace" though but
> .git/info/grafts.

FWIW on this point, for the securiy team members worklfows it is quite
importannt aspect (even admittely can be slow) to have access to
history of commits while working on their own checkouts. So that would
be a feature that in any splitup work done should be considered,
either in a rewrite-history situation or as mentioned above, or other
possibilties which will arise.

Thank you!

Regards,
Salvatore

External check

[Security Tracker]

CVE-2018-17075: TODO: check
CVE-2018-17142: TODO: check, in golang-golang-x-net-dev?
CVE-2018-17143: TODO: check, in golang-golang-x-net-dev?
CVE-2018-6055: TODO: check
CVE-2018-6119: TODO: check
--
The output might be a bit terse, but the above ids are known elsewhere,
check the references in the tracker. The second part indicates the status
of that id in the tracker at the moment the script was run.