[Openembedded-architecture] [RFC] Mark of upstream CVE patches
Christopher Larson
clarson at kergoth.com
Tue Dec 15 18:46:54 UTC 2015
On Tue, Dec 15, 2015 at 10:23 AM, Burton, Ross <ross.burton at intel.com>
wrote:
> On 15 December 2015 at 17:17, Richard Purdie <
> richard.purdie at linuxfoundation.org> wrote:
>
>> FWIW I like the proposal as above adding a tag to the patches.
>>
>
> My initial thought was "tag in filename" for convenience but the inability
> for a single patch to fix multiple CVEs is quite a downside, so agreed.
>
> If nobody objects to that we need to update the patch submission
>> guidelines so that everyone is aware of this and then we can ask people
>> to follow the guidelines when they don't put the field in, much as we
>> do with Upstream-Status already.
>>
>
> Whilst we're updating the guidelines can we change Upstream-Status: Denied
> to Rejected...
I support the CVE proposal and also this :)
We might also want to discuss the Pending upstream status. There seems to
be a great deal of confusion among folks who think this means it's pending
upstream review, rather than just being a patch we haven't done anything
with yet. It might be worth considering improving that naming, or perhaps
emphasizing it more in the documentation.
--
Christopher Larson
clarson at kergoth dot com
Founder - BitBake, OpenEmbedded, OpenZaurus
Maintainer - Tslib
Senior Software Engineer, Mentor Graphics
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-architecture/attachments/20151215/5cb61d46/attachment-0002.html>
More information about the Openembedded-architecture
mailing list