On Thu, Dec 01, 2016 at 04:34:20PM +0100, Raphael Hertzog wrote: > On Tue, 29 Nov 2016, Antoine Beaupré wrote: > > I wonder if we should standardize something about this. > > > > I usually name security patches with the following scheme: > > debian/patches/CVE-XXXX-YYYY(-commithash)?.patch > > I use CVE-XXXX-YYYY(-patchnumber)?.patch as some issues require multiple > patches to be fixed. But I do not embed the commit hash, it's already > present in the meta-data and does not provide anything useful. > > > relevant. if i don't have the CVE, i use some bug number or some unique > > identifier. i have found it way more difficult to find my way around > > patch queues that use "symbolic" names that describe the issue rather > > than individual ticket or CVE numbers... > > Me too. >
Today I will rename the patches, ensure that each one has the relevant CVE and/or bug number in the patch header, and the debian/changelog entries are updated with the applicable CVE IDs and/or bug numbers. Since all of those are "cosmetic" issues, I will not call for further review and since I have received positive feedback on the testing, I will then upload that version of the package and release the DLA. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
