| Message ID | 20230920100647.1038583-1-rhi@pengutronix.de |
|---|---|
| State | New |
| Headers | show |
| Series | [1/4] contributor-guide: recipe-style-guide: add section about CVE patches | expand |
Hi Roland Many thanks for the update! See my comments below... On 20.09.23 at 12:06, Roland Hieber wrote: > This was previously included in the OpenEmbedded wiki page [1], but was > not ported along with the rest in commit 95c9a1e1e78bbfb82ade > (2023-09-12, Michael Opdenacker: "contributor-guide: recipe-style-guide: > add Upstream-Status"). > > [1]: https://www.openembedded.org/index.php?title=Commit_Patch_Message_Guidelines&oldid=10935 > > Group the examples in their own sections. > > Signed-off-by: Roland Hieber <rhi@pengutronix.de> > --- > This is basically v2 of "[PATCH] contributor-guide: add docs for > Upstream-Status patch headers", Message-Id: > <20230919111549.997443-2-rhi@pengutronix.de> > <https://lists.yoctoproject.org/g/docs/topic/resend_patch/101455254> > rebased onto master-next, but since it looks so different now I made a > new v1 patch out of it. > > .../contributor-guide/recipe-style-guide.rst | 27 ++++++++++++++++++- > 1 file changed, 26 insertions(+), 1 deletion(-) > > diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst > index 99105179a6b9..52ab4523c49f 100644 > --- a/documentation/contributor-guide/recipe-style-guide.rst > +++ b/documentation/contributor-guide/recipe-style-guide.rst > @@ -321,7 +321,17 @@ the status should be changed to ``Submitted [where]``, and an additional > ``Signed-off-by:`` line should be added to the patch by the person claiming > responsibility for upstreaming. > > -For example, if the patch has been submitted upstream:: > +CVE patches > +----------- I've got an issue with this... This makes the "CVE patches" section a subsection of "Patch Upstream Status". Could you instead use? CVE patches ======== > + > +In order to have a better control of vulnerabilities, patches that fix CVEs must > +contain a *"CVE:"* tag. This tag list all CVEs fixed by the patch. If more than s/*"CVE:"* tag/``CVE:``/ to match the way Upstream-Status was introduced > +one CVE is fixed, separate them using spaces. > + > +Examples > +-------- > + > +Here's an example of a patch that has been submitted upstream:: > > rpm: Adjusted the foo setting in bar > > @@ -336,3 +346,18 @@ For example, if the patch has been submitted upstream:: > > A future update can change the value to ``Accepted`` or ``Denied`` as > appropriate. > + > +This should be the header of patch that fixes CVE-2015-8370 in GRUB2:: s/of patch/of the patch/ We have a macro for CVEs: s/CVE-2015-8370/:cve:`2015-8370`/ I know, you can't know this ;-) > + > + grub2: Fix CVE-2015-8370 Could you add this section to another "Examples" subsection, dedicated to the "CVE:" tag? This way, each section (Upstream-Status and CVE) has its own examples subsection, and we don't have to create an "Examples" section which applies only by the last two sessions (a bit weird). Thanks in advance, Michael.
diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst index 99105179a6b9..52ab4523c49f 100644 --- a/documentation/contributor-guide/recipe-style-guide.rst +++ b/documentation/contributor-guide/recipe-style-guide.rst @@ -321,7 +321,17 @@ the status should be changed to ``Submitted [where]``, and an additional ``Signed-off-by:`` line should be added to the patch by the person claiming responsibility for upstreaming. -For example, if the patch has been submitted upstream:: +CVE patches +----------- + +In order to have a better control of vulnerabilities, patches that fix CVEs must +contain a *"CVE:"* tag. This tag list all CVEs fixed by the patch. If more than +one CVE is fixed, separate them using spaces. + +Examples +-------- + +Here's an example of a patch that has been submitted upstream:: rpm: Adjusted the foo setting in bar @@ -336,3 +346,18 @@ For example, if the patch has been submitted upstream:: A future update can change the value to ``Accepted`` or ``Denied`` as appropriate. + +This should be the header of patch that fixes CVE-2015-8370 in GRUB2:: + + grub2: Fix CVE-2015-8370 + + [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1286966 + + Back to 28; Grub2 Authentication + + Two functions suffer from integer underflow fault; the grub_username_get() and grub_password_get()located in + grub-core/normal/auth.c and lib/crypto.c respectively. This can be exploited to obtain a Grub rescue shell. + + Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2] + CVE: CVE-2015-8370 + Signed-off-by: Joe Developer <joe.developer@example.com>
This was previously included in the OpenEmbedded wiki page [1], but was not ported along with the rest in commit 95c9a1e1e78bbfb82ade (2023-09-12, Michael Opdenacker: "contributor-guide: recipe-style-guide: add Upstream-Status"). [1]: https://www.openembedded.org/index.php?title=Commit_Patch_Message_Guidelines&oldid=10935 Group the examples in their own sections. Signed-off-by: Roland Hieber <rhi@pengutronix.de> --- This is basically v2 of "[PATCH] contributor-guide: add docs for Upstream-Status patch headers", Message-Id: <20230919111549.997443-2-rhi@pengutronix.de> <https://lists.yoctoproject.org/g/docs/topic/resend_patch/101455254> rebased onto master-next, but since it looks so different now I made a new v1 patch out of it. .../contributor-guide/recipe-style-guide.rst | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-)