On 10/20/16 12:32 PM, Paul Eggleton wrote: > Hi Armin, > > On Thu, 20 Oct 2016 08:26:37 akuster808 wrote: >> Regarding the CVE list. I see some info is based on what was in the >> commit messages for package updates. I suspect the list would be bigger >> because of general package updates. Should the release notes make note >> of that? >> Should the community in general provide more info in the commits to >> help with release notes if that is a source used for that process? > > We really should include that - unfortunately I didn't have time to track > down > all of those, assembling this list took several days of grinding through the > commits as it was.
This is why I bring it up. We tend to take the easy route when submitting changes not understanding the work it may cause someone else down stream. I appreciate your effort in this task. I did check upstream for some of the upgrades where a CVE > patch was removed just to verify that fix was indeed included in the upgrade, > and for those I collected any others that were listed as having been fixed, > but I wasn't really systematic about that. > > Do you know if there's any central resource we can use to find out which > versions of upstream software included which CVE fixes, There are but I am not sure how complete they are. Its not uncommon for the NVD to have "reserved" listed for something that has been out for a while. Let me look into it. or is it perhaps time > we started gathering links to the changelogs for each recipe? (Maybe we > should > do the latter anyway.) Some packages use a common link for all changes. I think people just need to be aware we use the commit messages to help with release notes. I am not proposing using a keyword in the commit messages that we can suck in with a tool to help create the release notes. That would just be silly. - armin > > Cheers, > Paul > -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
