On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote: > > Ok. So doing this I see a number of instances where the CVE-ID is > mentioned in the commit message, but there are also instances that > use the 'Fixes:' tag. Does it make sense to use that or does it > serve another purpose? Huh, I don't think that makes sense - the Fixes: tag should be for the commit that introduced the bug. I guess parsers will have to ignore garbage so it's probably safe, but I don't think you could mine for CVE fixes that way anyway ... johannes
