On Mon, Dec 12, 2011 at 10:14 AM, Andrea Pescetti <[email protected]> wrote: > On 11/12/2011 Rob Weir wrote: >> >> Tthe practice is to check in such fixes without making it evident to >> the observer that it is security-related. So don't expect SVN >> comments to give it away. > > > Like this? > http://cgit.freedesktop.org/libreoffice/core/commit/?id=cf5d0e20f2ba5a71f9ca2ed78a1b24841c97bb06 >
We'll probably see things like this as well, but not until after the security report is made. Remember, with SVN a commit comment is just a property (svn:log), and that can be changed. So the process would be to commit the fix without drawing attention to it, and then after the public report is made, to go back and update the SVN log to include the CVE for that revision. See step 15 here: http://www.apache.org/security/committers.html -Rob > I know the example is from LibreOffice (even though the bug might be shared > with OpenOffice.org or Apache OpenOffice) but I just happened to spot it and > it doesn't seem particularly hidden... Such a policy would have to apply to > all related projects (again, I totally don't know if this bug is related to > Apache OpenOffice too, I'm just discussing the issue in general). > > Regards, > Andrea.
