doc: relax requirement on commit messages of security fixes
Checks
Commit Message
From: Luca Boccassi <bluca@debian.org>
Allow more flexibility with embargo lifting by not requiring
mentions of CVEs in commit messages if the lift date allows
it.
Signed-off-by: Luca Boccassi <bluca@debian.org>
---
doc/guides/contributing/vulnerability.rst | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Comments
We missed this patch, there was no comment.
Please review.
10/03/2022 18:59, luca.boccassi@gmail.com:
> From: Luca Boccassi <bluca@debian.org>
>
> Allow more flexibility with embargo lifting by not requiring
> mentions of CVEs in commit messages if the lift date allows
> it.
>
> Signed-off-by: Luca Boccassi <bluca@debian.org>
> ---
> -The CVE id and the bug id must be referenced in the patch.
> +The CVE id and the bug id must be referenced in the patch if there is no
> +embargo, or if there is an embargo, but it will be lifted when the release
> +including the patch is published. If the embargo is going to be lifted after the
> +release, then the CVE and bug ids must be omitted from the commit message.
Indeed!
On 3/31/23 12:34, Thomas Monjalon wrote:
> We missed this patch, there was no comment.
> Please review.
>
> 10/03/2022 18:59, luca.boccassi@gmail.com:
>> From: Luca Boccassi <bluca@debian.org>
>>
>> Allow more flexibility with embargo lifting by not requiring
>> mentions of CVEs in commit messages if the lift date allows
>> it.
>>
>> Signed-off-by: Luca Boccassi <bluca@debian.org>
>> ---
>> -The CVE id and the bug id must be referenced in the patch.
>> +The CVE id and the bug id must be referenced in the patch if there is no
>> +embargo, or if there is an embargo, but it will be lifted when the release
>> +including the patch is published. If the embargo is going to be lifted after the
>> +release, then the CVE and bug ids must be omitted from the commit message.
>
>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Thanks,
Maxime
On Fri, 31 Mar 2023 12:37:40 +0200
Maxime Coquelin <maxime.coquelin@redhat.com> wrote:
> Indeed!
>
> On 3/31/23 12:34, Thomas Monjalon wrote:
> > We missed this patch, there was no comment.
> > Please review.
> >
> > 10/03/2022 18:59, luca.boccassi@gmail.com:
> >> From: Luca Boccassi <bluca@debian.org>
> >>
> >> Allow more flexibility with embargo lifting by not requiring
> >> mentions of CVEs in commit messages if the lift date allows
> >> it.
> >>
> >> Signed-off-by: Luca Boccassi <bluca@debian.org>
> >> ---
> >> -The CVE id and the bug id must be referenced in the patch.
> >> +The CVE id and the bug id must be referenced in the patch if there is no
> >> +embargo, or if there is an embargo, but it will be lifted when the release
> >> +including the patch is published. If the embargo is going to be lifted after the
> >> +release, then the CVE and bug ids must be omitted from the commit message.
> >
> >
>
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Acked-by: Stephen Hemminger <stephen@networkplumber.org>
On Thu, Mar 10, 2022 at 7:00 PM <luca.boccassi@gmail.com> wrote:
>
> From: Luca Boccassi <bluca@debian.org>
>
> Allow more flexibility with embargo lifting by not requiring
> mentions of CVEs in commit messages if the lift date allows
> it.
>
> Signed-off-by: Luca Boccassi <bluca@debian.org>
Applied, thanks Luca.
@@ -170,7 +170,10 @@ The patches fixing the vulnerability are developed and reviewed
by the security team and
by elected area experts that agree to maintain confidentiality.
-The CVE id and the bug id must be referenced in the patch.
+The CVE id and the bug id must be referenced in the patch if there is no
+embargo, or if there is an embargo, but it will be lifted when the release
+including the patch is published. If the embargo is going to be lifted after the
+release, then the CVE and bug ids must be omitted from the commit message.
Backports to the identified affected versions are done once the fix is ready.