[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID

On Thu, Dec 01, 2016 at 04:34:20PM +0100, Raphael Hertzog wrote:
> On Tue, 29 Nov 2016, Antoine Beaupré wrote:
> > I wonder if we should standardize something about this.
> > 
> > I usually name security patches with the following scheme:
> > debian/patches/CVE-XXXX-YYYY(-commithash)?.patch
> 
> I use CVE-XXXX-YYYY(-patchnumber)?.patch as some issues require multiple
> patches to be fixed. But I do not embed the commit hash, it's already
> present in the meta-data and does not provide anything useful.
> 
> > relevant. if i don't have the CVE, i use some bug number or some unique
> > identifier. i have found it way more difficult to find my way around
> > patch queues that use "symbolic" names that describe the issue rather
> > than individual ticket or CVE numbers...
> 
> Me too.
> 

Today I will rename the patches, ensure that each one has the relevant
CVE and/or bug number in the patch header, and the debian/changelog
entries are updated with the applicable CVE IDs and/or bug numbers.
Since all of those are "cosmetic" issues, I will not call for further
review and since I have received positive feedback on the testing, I
will then upload that version of the package and release the DLA.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Reply to: