* [PATCH] doc: relax requirement on commit messages of security fixes
@ 2022-03-10 17:59 luca.boccassi
2023-03-31 10:34 ` Thomas Monjalon
2023-11-24 13:53 ` David Marchand
0 siblings, 2 replies; 5+ messages in thread
From: luca.boccassi @ 2022-03-10 17:59 UTC (permalink / raw)
To: dev; +Cc: thomas, maxime.coquelin, david.marchand, ktraynor, Luca Boccassi
From: Luca Boccassi <bluca@debian.org>
Allow more flexibility with embargo lifting by not requiring
mentions of CVEs in commit messages if the lift date allows
it.
Signed-off-by: Luca Boccassi <bluca@debian.org>
---
doc/guides/contributing/vulnerability.rst | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
index b6300252ad..fc60e02e37 100644
--- a/doc/guides/contributing/vulnerability.rst
+++ b/doc/guides/contributing/vulnerability.rst
@@ -170,7 +170,10 @@ The patches fixing the vulnerability are developed and reviewed
by the security team and
by elected area experts that agree to maintain confidentiality.
-The CVE id and the bug id must be referenced in the patch.
+The CVE id and the bug id must be referenced in the patch if there is no
+embargo, or if there is an embargo, but it will be lifted when the release
+including the patch is published. If the embargo is going to be lifted after the
+release, then the CVE and bug ids must be omitted from the commit message.
Backports to the identified affected versions are done once the fix is ready.
--
2.34.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] doc: relax requirement on commit messages of security fixes
2022-03-10 17:59 [PATCH] doc: relax requirement on commit messages of security fixes luca.boccassi
@ 2023-03-31 10:34 ` Thomas Monjalon
2023-03-31 10:37 ` Maxime Coquelin
2023-11-24 13:53 ` David Marchand
1 sibling, 1 reply; 5+ messages in thread
From: Thomas Monjalon @ 2023-03-31 10:34 UTC (permalink / raw)
To: dev
Cc: maxime.coquelin, david.marchand, ktraynor, Luca Boccassi,
luca.boccassi, Christian Ehrhardt, xuemingl
We missed this patch, there was no comment.
Please review.
10/03/2022 18:59, luca.boccassi@gmail.com:
> From: Luca Boccassi <bluca@debian.org>
>
> Allow more flexibility with embargo lifting by not requiring
> mentions of CVEs in commit messages if the lift date allows
> it.
>
> Signed-off-by: Luca Boccassi <bluca@debian.org>
> ---
> -The CVE id and the bug id must be referenced in the patch.
> +The CVE id and the bug id must be referenced in the patch if there is no
> +embargo, or if there is an embargo, but it will be lifted when the release
> +including the patch is published. If the embargo is going to be lifted after the
> +release, then the CVE and bug ids must be omitted from the commit message.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] doc: relax requirement on commit messages of security fixes
2023-03-31 10:34 ` Thomas Monjalon
@ 2023-03-31 10:37 ` Maxime Coquelin
2023-07-05 23:07 ` Stephen Hemminger
0 siblings, 1 reply; 5+ messages in thread
From: Maxime Coquelin @ 2023-03-31 10:37 UTC (permalink / raw)
To: Thomas Monjalon, dev
Cc: david.marchand, ktraynor, Luca Boccassi, luca.boccassi,
Christian Ehrhardt, xuemingl
Indeed!
On 3/31/23 12:34, Thomas Monjalon wrote:
> We missed this patch, there was no comment.
> Please review.
>
> 10/03/2022 18:59, luca.boccassi@gmail.com:
>> From: Luca Boccassi <bluca@debian.org>
>>
>> Allow more flexibility with embargo lifting by not requiring
>> mentions of CVEs in commit messages if the lift date allows
>> it.
>>
>> Signed-off-by: Luca Boccassi <bluca@debian.org>
>> ---
>> -The CVE id and the bug id must be referenced in the patch.
>> +The CVE id and the bug id must be referenced in the patch if there is no
>> +embargo, or if there is an embargo, but it will be lifted when the release
>> +including the patch is published. If the embargo is going to be lifted after the
>> +release, then the CVE and bug ids must be omitted from the commit message.
>
>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Thanks,
Maxime
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] doc: relax requirement on commit messages of security fixes
2023-03-31 10:37 ` Maxime Coquelin
@ 2023-07-05 23:07 ` Stephen Hemminger
0 siblings, 0 replies; 5+ messages in thread
From: Stephen Hemminger @ 2023-07-05 23:07 UTC (permalink / raw)
To: Maxime Coquelin
Cc: Thomas Monjalon, dev, david.marchand, ktraynor, Luca Boccassi,
luca.boccassi, Christian Ehrhardt, xuemingl
On Fri, 31 Mar 2023 12:37:40 +0200
Maxime Coquelin <maxime.coquelin@redhat.com> wrote:
> Indeed!
>
> On 3/31/23 12:34, Thomas Monjalon wrote:
> > We missed this patch, there was no comment.
> > Please review.
> >
> > 10/03/2022 18:59, luca.boccassi@gmail.com:
> >> From: Luca Boccassi <bluca@debian.org>
> >>
> >> Allow more flexibility with embargo lifting by not requiring
> >> mentions of CVEs in commit messages if the lift date allows
> >> it.
> >>
> >> Signed-off-by: Luca Boccassi <bluca@debian.org>
> >> ---
> >> -The CVE id and the bug id must be referenced in the patch.
> >> +The CVE id and the bug id must be referenced in the patch if there is no
> >> +embargo, or if there is an embargo, but it will be lifted when the release
> >> +including the patch is published. If the embargo is going to be lifted after the
> >> +release, then the CVE and bug ids must be omitted from the commit message.
> >
> >
>
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] doc: relax requirement on commit messages of security fixes
2022-03-10 17:59 [PATCH] doc: relax requirement on commit messages of security fixes luca.boccassi
2023-03-31 10:34 ` Thomas Monjalon
@ 2023-11-24 13:53 ` David Marchand
1 sibling, 0 replies; 5+ messages in thread
From: David Marchand @ 2023-11-24 13:53 UTC (permalink / raw)
To: luca.boccassi
Cc: dev, thomas, maxime.coquelin, ktraynor, Luca Boccassi, Stephen Hemminger
On Thu, Mar 10, 2022 at 7:00 PM <luca.boccassi@gmail.com> wrote:
>
> From: Luca Boccassi <bluca@debian.org>
>
> Allow more flexibility with embargo lifting by not requiring
> mentions of CVEs in commit messages if the lift date allows
> it.
>
> Signed-off-by: Luca Boccassi <bluca@debian.org>
Applied, thanks Luca.
--
David Marchand
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-11-24 13:53 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-10 17:59 [PATCH] doc: relax requirement on commit messages of security fixes luca.boccassi
2023-03-31 10:34 ` Thomas Monjalon
2023-03-31 10:37 ` Maxime Coquelin
2023-07-05 23:07 ` Stephen Hemminger
2023-11-24 13:53 ` David Marchand
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).