Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

[Raphael Hertzog <hertzog@debian.org>]

On Tue, 29 Nov 2016, Antoine Beaupré wrote:
> I wonder if we should standardize something about this.
> 
> I usually name security patches with the following scheme:
> debian/patches/CVE-XXXX-YYYY(-commithash)?.patch

I use CVE-XXXX-YYYY(-patchnumber)?.patch as some issues require multiple
patches to be fixed. But I do not embed the commit hash, it's already
present in the meta-data and does not provide anything useful.

> relevant. if i don't have the CVE, i use some bug number or some unique
> identifier. i have found it way more difficult to find my way around
> patch queues that use "symbolic" names that describe the issue rather
> than individual ticket or CVE numbers...

Me too.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/