On 16 December 2015 at 09:03, Sona Sarmadi <[email protected]> wrote:
> We are supposed to have reference to the CVE identifier both in the patch > file/s > and the commit message(e.g. xxx- CVE-2013-6435.pacth) according to the > guidelines > for "Patch name convention and commit message" in the Yocto > Wiki https://wiki.yoctoproject.org/wiki/Security. > > If a patch address multiple CVEs, perhaps we should name the patch: > Fix-for-multiple-CVEs.patch and list all CVEs in the patch file. > > Will this not solve the problem? Do you think there is still need for a > new tag "CVE"? > I'd say a new tag is essential if we want to automate tooling, to reduce the chance of false-positives from simply searching the patch for something that looks like a CVE reference. Ross -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
