On Mon, 2016-01-04 at 12:25 -0600, Mariano Lopez wrote: > > On 12/16/2015 03:21 AM, Burton, Ross wrote: > > > > On 16 December 2015 at 09:03, Sona Sarmadi <sona.sarm...@enea.com > > <mailto:sona.sarm...@enea.com>> wrote: > > > > We are supposed to have reference to the CVE identifier both in > > the patch file/s > > and the commit message(e.g. xxx- CVE-2013-6435.pacth) > > according > > to the guidelines > > for "Patch name convention and commit message" in the Yocto > > Wiki https://wiki.yoctoproject.org/wiki/Security. > > > > If a patch address multiple CVEs, perhaps we should name the > > patch: > > Fix-for-multiple-CVEs.patch and list all CVEs in the patch > > file. > > > > Will this not solve the problem? Do you think there is still > > need > > for a new tag "CVE"? > > > > > > I'd say a new tag is essential if we want to automate tooling, to > > reduce the chance of false-positives from simply searching the > > patch > > for something that looks like a CVE reference. > > > > Ross > > The conclusion of this thread is to add the tag "CVE" to the metadata > of > submitted CVE patches. I will edit the wiki to show this requirement.
Please let us know when the wiki has the changes reflected :) > > Mariano -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel