On 07-09-17 11:40, Johannes Berg wrote:
On Thu, 2017-09-07 at 11:38 +0200, Arend van Spriel wrote:
Ok. So doing this I see a number of instances where the CVE-ID is
mentioned in the commit message, but there are also instances that
use the 'Fixes:' tag. Does it make sense to use that or does it
serve another purpose?
Huh, I don't think that makes sense - the Fixes: tag should be for the
commit that introduced the bug. I guess parsers will have to ignore
garbage so it's probably safe, but I don't think you could mine for CVE
fixes that way anyway ...
Indeed. I see a lot of different ways in which the CVE-IDs are
referenced, which makes mining for a list of CVE-IDs between releases
hard. Seems like a useful thing to have though, but people may grow
tired of all the different tags :-p
Regards,
Arend
