On Tue, 2016-11-29 at 12:14 +0100, Raphael Hertzog wrote:
> Hi,
>
> On Mon, 28 Nov 2016, Roberto C. Sánchez wrote:
> > Quite right:
> > http://people.debian.org/~roberto/imagemagick_6.7.7.10-5+deb7u7_6.7.7.10-5+deb7u8.diff
>
> Somme comments:
> - since we have no git history, it's nice to indicate in each patch what
> CVE it fixes (I like to name the patch according to the CVE it fixes too)
> here, I have to lookup the upstream ticket or commit to find out and in many
> cases, it's no longer possible since the patch refers to a
> trac.imagemagick.org URL which no longer exists and/or the commit does
> not have the CVE number :(
[...]
Would it make sense to add a Bug header field to patches, e.g.:
Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-XXXX-YYYY
or:
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-XXXX-YYYY
?
Ben.
--
Ben Hutchings
A free society is one where it is safe to be unpopular. - Adlai
Stevenson
Attachment:
signature.asc
Description: This is a digitally signed message part