Hi Armin, On Thu, 20 Oct 2016 08:26:37 akuster808 wrote: > Regarding the CVE list. I see some info is based on what was in the > commit messages for package updates. I suspect the list would be bigger > because of general package updates. Should the release notes make note > of that? > Should the community in general provide more info in the commits to > help with release notes if that is a source used for that process?
We really should include that - unfortunately I didn't have time to track down all of those, assembling this list took several days of grinding through the commits as it was. I did check upstream for some of the upgrades where a CVE patch was removed just to verify that fix was indeed included in the upgrade, and for those I collected any others that were listed as having been fixed, but I wasn't really systematic about that. Do you know if there's any central resource we can use to find out which versions of upstream software included which CVE fixes, or is it perhaps time we started gathering links to the changelogs for each recipe? (Maybe we should do the latter anyway.) Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
