On 12/15/2015 11:37 AM, Richard Purdie wrote: > On Tue, 2015-12-15 at 11:30 -0500, Philip Balister wrote: >> I also suggest copying the >> >> https://lists.yoctoproject.org/listinfo/yocto-security >> >> list. > > and the architecture list, this is something that should apply to more > than OE-Core ideally.
I thought the exact same thing seconds after hitting send. I'll let the security and architecture people decide which list is best for discussion. What I do want to see is fewer discussions cross posted across many lists. Philip > > Cheers, > Richard > >> Philip >> >> On 12/15/2015 11:03 AM, Mariano Lopez wrote: >>> There is an initiative to track vulnerable software being built >>> (see >>> bugs 8119 and 7515). The idea is to have a testing tool that would >>> check >>> the recipe versions against CVEs. In order to accomplish such task >>> there >>> is need to reliable mark the patches from upstream that solve CVEs. >>> >>> There have been two options to mark the patches that solve CVEs: >>> >>> 1. Have "CVE" and the CVE number as the patch filename. >>> Pros: >>> Doesn't require a new tag. >>> Cons: >>> It is not flexible to add more information, for example two >>> CVEs in >>> the same patch >>> >>> 2. Add a new tag in the patch that have the CVE information. >>> Pros: >>> It is flexible and can add more information. >>> Cons: >>> Require a change in the patch metadata. >>> >>> What I would recommend is to add a new tag in the patch, it must >>> contain >>> the CVE ID. With this it would be possible to look for the CVE >>> information easily in the testing tool or in NIST, MITRE, or >>> another web >>> page. For example, this would be part of the patch for CVE-2013 >>> -6435, >>> currently in OE-Core: >>> >>> -- snip -- >>> >>> Upstream-Status: Backport >>> CVE: CVE-2013-6435 >>> >>> Reference: >>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6435 >>> >>> -- snip -- >>> >>> The expected output of this discussion is a standard format for CVE >>> patches that most, if not all, of community members agree on. >>> >>> Please let me know your comments. >>> >>> Cheers, >>> >>> Mariano Lopez > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
