On Mon, 2022-03-07 at 12:51 +0100, Quentin Schulz wrote: > Hi Richard, > > On 3/7/22 12:44, Richard Purdie wrote: > > On Mon, 2022-03-07 at 12:26 +0100, Quentin Schulz wrote: > > > Hi all, > > > > > > On 3/7/22 12:21, Quentin Schulz wrote: > > > > From: Alexander Kanavin <[email protected]> > > > > > > > > Signed-off-by: Alexander Kanavin <[email protected]> > > > > Signed-off-by: Richard Purdie <[email protected]> > > > > (cherry picked from commit 6a3289c4786c4d278e2bf0ec1a5e04363772d8bc) > > > > Signed-off-by: Quentin Schulz <[email protected]> > > > > --- > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17037.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=Z_Fk9dO_TkdYJYl46pu81nr28SBx_F4uwjA-u2QRndg&e= > > > 2.37.3 fixes > > > two CVEs (not listed on nvdist database for some reason). > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.spinics.net_lists_util-2Dlinux-2Dng_msg17087.html&d=DwICaQ&c=_sEr5x9kUWhuk4_nFwjJtA&r=LYjLexDn7rXIzVmkNPvw5ymA1XTSqHGq8yBP6m6qZZ4njZguQhZhkI_-172IIy1t&m=U4eCQXCHnTmgAB4bLm1IJBHGUvY0OlzZwRhwZUecFxMBJMnqgAgrTpTz0IrWUJTR&s=FoMkkE5_1EdZcBKwKLGT1JehXLRN8KwCdyEAunBBJIw&e= > > > 2.37.4 fixes > > > one CVE (not listed on bvdist for some reason). > > > > > > I think it might be useful for release maintainer(s) if we mention in > > > the commit log or commit title if it's a security bump or not when > > > sending patches for version bumps to master? What do you think? (FYI, > > > Buildroot seems to do it regularly and it helps me with keeping my > > > vendor tree somewhat up-to-date security wise). > > > > I'm happy if people do mention it (I did for expat recently) but I'm not > > going > > to block upgrades on the information being missing (how would I tell?). > > > > We're struggling to get people to submit upgrades so I'm reluctant to make > > it > > harder for them. > > > > Impossible to enforce anyway, as you just mentioned. But making people > aware that it's a nice thing to do should be doable, e.g. adding a few > words in > https://docs.yoctoproject.org/dev-manual/common-tasks.html#submitting-a-change-to-the-yocto-project > > and > https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded ? > > It was not my intention to suggest add additional rules, sorry if it > came across this way.
Highlighting in the docs sounds like a great idea :) Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#162813): https://lists.openembedded.org/g/openembedded-core/message/162813 Mute This Topic: https://lists.openembedded.org/mt/89609558/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
