On 07-09-17 10:59, Johannes Berg wrote:
On Thu, 2017-09-07 at 10:40 +0200, Arend van Spriel wrote:
Hi Kalle,
Due to recent events we were asked about some vulnerability fixes
for
brcmfmac. We already fixed a couple of things without referring to a
so-called CVE-ID, which is what people are asking for. Do we have a
upstream policy on that? I could not really find anything in the
Documentation folder (but I may have overlooked it). Might be worth
mentioning in the commit message like with the coverity ids.
Sure.
git log --grep "CVE-"
shows it being done frequently.
Ok. So doing this I see a number of instances where the CVE-ID is
mentioned in the commit message, but there are also instances that use
the 'Fixes:' tag. Does it make sense to use that or does it serve
another purpose?
Regards,
Arend
