On Tue, 2016-11-29 at 12:14 +0100, Raphael Hertzog wrote: > Hi, > > On Mon, 28 Nov 2016, Roberto C. Sánchez wrote: > > Quite right: > > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff > > Somme comments: > - since we have no git history, it's nice to indicate in each patch what > CVE it fixes (I like to name the patch according to the CVE it fixes too) > here, I have to lookup the upstream ticket or commit to find out and in many > cases, it's no longer possible since the patch refers to a > trac.imagemagick.org URL which no longer exists and/or the commit does > not have the CVE number :( [...]
Would it make sense to add a Bug header field to patches, e.g.:
Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-XXXX-YYYY
or:
Bug-Debian-Security:
https://security-tracker.debian.org/tracker/CVE-XXXX-YYYY
?
Ben.
--
Ben Hutchings
A free society is one where it is safe to be unpopular. - Adlai
Stevenson
signature.asc
Description: This is a digitally signed message part
