On 10/27/2017 02:46 PM, Alexander Kanavin wrote: > On 10/27/2017 01:16 PM, Philip Balister wrote: >> Can you also update the commit message to show the CVE entries in a >> standard format? We are trying to collect commits that resolve CVE's on >> the yocto-security list. >> >> https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines#Example:_CVE_patch_header >> >> >> For this mentioning the CVE without the .patch might help. cc'ing >> Michael in case he his suggesting to help the hook. > > For this to work, recipe maintainers need to do this manual work > consistently and reliably across all version updates, and I simply can't > see it happening. > > You should make the tooling work so that it looks at versions in > addition to cve tags. So that this curl 7.54->7.56.1 commit resolves to > the list of CVEs fixed in 7.56 automatically, via some database lookup.
We have to start somewhere. Philip > > Alex > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
