Hi Marta
On 20.10.23 at 10:36, Marta Rybczynska wrote:
Hello everyone,
We have a constant flow of work on pending CVEs. During my discussion
with multiple people, there is a common need for synchronization of
this work to avoid duplication or forgotten fixes.
We have a decision on the tooling to make: do we want to create a
Bugzilla entry for each new open CVE? An alternative is to use a wiki
page (this has been prototyped by Ross) with heavy scripting to
automate the tedious part.
Today I propose you to use a special wiki page and the following procedure:
On the wiki page, always add all additional information after a ; sign
to allow scripting. The first part of each line (until ";" ) will be
auto-generated. The second part contains information about the issue,
like who is investigating or what the situation is.
There is a separate list for each branch, as we realize that people
concentrate on various branches.
Workflow:
* Mark name of a person preparing a patch for each branch
* If you have additional information (like a link to a patch), add it
to the record
* If a patch is posted to the mailing list, post a link to it (this
will be automated)
* When a patch reaches the "next" branch, mark it too (this will be
automated too)
* When the patch reaches the final branch, the line of the CVE is
automatically removed (this is already automated)
* The list is (re)generated every day
Please have a look at the procedure proposal and how the tracking
might look like:
https://wiki.yoctoproject.org/wiki/Synchronization_CVEs
This looks very useful. Thanks!
If I understand correctly, the fact that the beginning of each line is
generated automatically is a way to make sure nobody with Wiki write
rights can hide a vulnerability by removing it from the list, right?
Thanks again
Michael.
--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189538):
https://lists.openembedded.org/g/openembedded-core/message/189538
Mute This Topic: https://lists.openembedded.org/mt/102077364/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
