Hi Guix,
Am Freitag, dem 28.06.2024 um 21:11 -0400 schrieb Maxim Cournoyer:
> Richard Sent <rich...@freakingpenguin.com> writes:
>
> > Another one seems to be the [security fixes], [fixes CVE-...], and
> > [fixes TROVE-...] blocks added to certain header lines. What other
> > tags exist? There seems to be inconsistency here when referring to
> > multiple CVEs. For example, when a fixes tag references multiple
> > CVEs you can find.
> >
> > [fixes CVE-2020-10700, CVE-2020-10704] [5]
> > [fixes CVE-2020-3898 & CVE-2019-8842] [6]
> > [fixes CVE-2023-{28755, 28756}] [7]
>
> I think these are likely to bust the 70 characters limit for a git
> commit summary line, so perhaps we could standardize on [fixes CVE-
> XXX] for single CVEs or [security fixes] when there are more than one
> (listing the CVEs in the commit message body instead then).
I think we should use a "Fixes: [short description] <URI>" footer for
both Guix and upstream bugs, that can easily be parsed – hopefully by
both humans and machines. That would give the interested reader the
(contextual) information they need, while also leaving the main body to
a more thorough description of the patch itself.
Cheers
>
