[OE-core] [RFC] Mark of upstream CVE patches

Otavio Salvador otavio.salvador at ossystems.com.br
Tue Dec 15 16:26:54 UTC 2015


On Tue, Dec 15, 2015 at 2:03 PM, Mariano Lopez
<mariano.lopez at linux.intel.com> wrote:
> There is an initiative to track vulnerable software being built (see bugs
> 8119 and 7515). The idea is to have a testing tool that would check the
> recipe versions against CVEs. In order to accomplish such task there is need
> to reliable mark the patches from upstream that solve CVEs.

I support this initiative and I also second the preference for the tag
in the patch header. It is easy to add, grep for, and simple.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750



More information about the Openembedded-core mailing list