Re: RFC - ImageMagick, proper testing, and handling issues without a CVE ID
On Thu, Dec 01, 2016 at 04:34:20PM +0100, Raphael Hertzog wrote:
> On Tue, 29 Nov 2016, Antoine Beaupré wrote:
> > I wonder if we should standardize something about this.
> >
> > I usually name security patches with the following scheme:
> > debian/patches/CVE-XXXX-YYYY(-commithash)?.patch
>
> I use CVE-XXXX-YYYY(-patchnumber)?.patch as some issues require multiple
> patches to be fixed. But I do not embed the commit hash, it's already
> present in the meta-data and does not provide anything useful.
>
> > relevant. if i don't have the CVE, i use some bug number or some unique
> > identifier. i have found it way more difficult to find my way around
> > patch queues that use "symbolic" names that describe the issue rather
> > than individual ticket or CVE numbers...
>
> Me too.
>
Today I will rename the patches, ensure that each one has the relevant
CVE and/or bug number in the patch header, and the debian/changelog
entries are updated with the applicable CVE IDs and/or bug numbers.
Since all of those are "cosmetic" issues, I will not call for further
review and since I have received positive feedback on the testing, I
will then upload that version of the package and release the DLA.
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Reply to: