On 10/27/2017 01:16 PM, Philip Balister wrote:
Can you also update the commit message to show the CVE entries in a
standard format? We are trying to collect commits that resolve CVE's on
the yocto-security list.
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Example:_CVE_patch_header
For this mentioning the CVE without the .patch might help. cc'ing
Michael in case he his suggesting to help the hook.
For this to work, recipe maintainers need to do this manual work
consistently and reliably across all version updates, and I simply can't
see it happening.
You should make the tooling work so that it looks at versions in
addition to cve tags. So that this curl 7.54->7.56.1 commit resolves to
the list of CVEs fixed in 7.56 automatically, via some database lookup.
Alex
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
