Hi,
On 2/3/2021 3:38 PM, Steve Sakoman wrote:
On Wed, Feb 3, 2021 at 12:02 AM Mikko Rapeli <mikko.rap...@bmw.de> wrote:
Hi,
On Wed, Feb 03, 2021 at 08:42:57AM +0000, Anatol Belski wrote:
The naming convention needs to be help so the CVE is recognized as
fixed by the tooling.
Yocto CVE checker does detect CVE patches also from patch comments so
this change is not needed for that. This is sufficient:
poky$ git grep CVE-2020-35457
meta/recipes-core/glib-2.0/glib-2.0/0001-goption-Add-a-precondition-to-avoid-GOptionEntry-lis.patch:CVE:
CVE-2020-35457
Yes, we are detecting the CVE patch from the patch comment.
However our CVE patch guidelines do request that the patch be named
with the CVE as the name:
https://wiki.yoctoproject.org/wiki/Security
(in the "Patch name convention and commit message" section)
I'm sorry I didn't catch this when I merged this earlier. I always
check the patch itself for the CVE tag, but I missed the name. So I'm
happy to take this patch just to clean up the metadata and make it
easy to see that this is a CVE patch.
Thanks for pointing this out. On my side, I also always check this one
https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
There's no explicit mention on the filename, but I guess i sure read the
other page, too. Perhaps the effort would be better put adding a word on
the wiki, that the filename is not really relevant. And otherwise, seems
there's nothing to fix other than my habit on seeing the filename to be
same as CVE :)
Thanks!
Anatol
Steve
Is there some other tooling that you are referring to?
Cheers,
-Mikko
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#147631):
https://lists.openembedded.org/g/openembedded-core/message/147631
Mute This Topic: https://lists.openembedded.org/mt/80349258/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
