[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

On 2016-11-29 06:14:10, Raphael Hertzog wrote:
> Hi,
>
> On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
>> Quite right:
>> http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
>
> Somme comments:
> - since we have no git history, it's nice to indicate in each patch what
>   CVE it fixes (I like to name the patch according to the CVE it fixes too)
>   here, I have to lookup the upstream ticket or commit to find out and in many
>   cases, it's no longer possible since the patch refers to a
>   trac.imagemagick.org URL which no longer exists and/or the commit does
>   not have the CVE number :(

I wonder if we should standardize something about this.

I usually name security patches with the following scheme:

debian/patches/CVE-XXXX-YYYY(-commithash)?.patch

... if I have the CVE. i also include the upstream commithash if
relevant. if i don't have the CVE, i use some bug number or some unique
identifier. i have found it way more difficult to find my way around
patch queues that use "symbolic" names that describe the issue rather
than individual ticket or CVE numbers...

this doesn't forbid adding a one-word description of the issue alongside
that standard of course.

-- 
Being cynical is the only way to deal with modern civilization — you
can't just swallow it whole.
                        - Frank Zappa
Reply to: