Re: Patch Tagging Guidelines: DEP-3 moved to ACCEPTED status
On 16/01/12 16:01, Jonathan Wiltshire wrote:
A CVE field, mandatory if a
CVE has been published for this patch and is the major component of this
patch, would allow easy tracing of patches back to CVE publications
later (for review perhaps, or by other distributions).
I wonder whether CVE IDs are close enough to being a (limited-scope) bug
tracking system to treat them as such, analogous to Bug-Debian,
Bug-Fedora etc.; I've previously used "Bug-CVE: CVE-2011-xxxx" in
ioquake3, although I haven't been completely consistent about that.
(Also, a Bug-* line would ideally have a URI - is there a canonical URI
corresponding to each CVE ID, preferably one that doesn't still just say
"RESERVED" long after the embargo date?)