On 16/01/12 16:01, Jonathan Wiltshire wrote:
A CVE field, mandatory if a CVE has been published for this patch and is the major component of this patch, would allow easy tracing of patches back to CVE publications later (for review perhaps, or by other distributions).
I wonder whether CVE IDs are close enough to being a (limited-scope) bug tracking system to treat them as such, analogous to Bug-Debian, Bug-Fedora etc.; I've previously used "Bug-CVE: CVE-2011-xxxx" in ioquake3, although I haven't been completely consistent about that.
(Also, a Bug-* line would ideally have a URI - is there a canonical URI corresponding to each CVE ID, preferably one that doesn't still just say "RESERVED" long after the embargo date?)
S