On 01/11/2017 04:49 PM, Philip Balister wrote:
The problem following the CVE's direct is you need to do analysis to
determine if a specific release has the vulnerability.
We do have guidelines for marking CVE's addressed by commits, to help
people interested in developing tools to show what CVE's are addressed
in the meta data.
>
One suggestion made is to setup some form of git hook to email commits
with CVE tags to the security list.
This is not going to work if a security issue is fixed by a version
update without an intermediate backported patch (which often happens).
And cve-check-tool is notorious for inaccuracies both ways.
There's simply no easy, working solution to this, the way I see it. In
the master branch the best we can do is to stay close to upstream, for
release branches the only thing that will really work is having real
recipe maintainers who follow upstream development closely.
Alex
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
