Hi Liliana,
Liliana Marie Prikler <liliana.prik...@gmail.com> writes:
> Hi Guix,
>
> Am Freitag, dem 28.06.2024 um 21:11 -0400 schrieb Maxim Cournoyer:
>> Richard Sent <rich...@freakingpenguin.com> writes:
>>
>> > Another one seems to be the [security fixes], [fixes CVE-...], and
>> > [fixes TROVE-...] blocks added to certain header lines. What other
>> > tags exist? There seems to be inconsistency here when referring to
>> > multiple CVEs. For example, when a fixes tag references multiple
>> > CVEs you can find.
>> >
>> > [fixes CVE-2020-10700, CVE-2020-10704] [5]
>> > [fixes CVE-2020-3898 & CVE-2019-8842] [6]
>> > [fixes CVE-2023-{28755, 28756}] [7]
>>
>> I think these are likely to bust the 70 characters limit for a git
>> commit summary line, so perhaps we could standardize on [fixes CVE-
>> XXX] for single CVEs or [security fixes] when there are more than one
>> (listing the CVEs in the commit message body instead then).
>
> I think we should use a "Fixes: [short description] <URI>" footer for
> both Guix and upstream bugs, that can easily be parsed – hopefully by
> both humans and machines. That would give the interested reader the
> (contextual) information they need, while also leaving the main body to
> a more thorough description of the patch itself.
That's a good idea, and I already use a "Fixes:" git trailer for fixed
bugs, but I also like to be able to see from the 'git log' output which
commits were security related (I see value in the summary [security
fixes] "tag").
--
Thanks,
Maxim
