diff mbox series

doc: relax requirement on commit messages of security fixes

Message ID 20220310175947.273850-1-luca.boccassi@gmail.com (mailing list archive)
State New
Delegated to: Thomas Monjalon
Headers show
Series doc: relax requirement on commit messages of security fixes | expand

Checks

Context Check Description
ci/iol-abi-testing success Testing PASS
ci/iol-aarch64-compile-testing success Testing PASS
ci/iol-x86_64-unit-testing success Testing PASS
ci/iol-x86_64-compile-testing success Testing PASS
ci/iol-aarch64-unit-testing success Testing PASS
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/github-robot: build success github build: passed
ci/intel-Testing success Testing PASS
ci/Intel-compilation success Compilation OK
ci/iol-mellanox-Performance success Performance Testing PASS
ci/checkpatch success coding style OK

Commit Message

Luca Boccassi March 10, 2022, 5:59 p.m. UTC
From: Luca Boccassi <bluca@debian.org>

Allow more flexibility with embargo lifting by not requiring
mentions of CVEs in commit messages if the lift date allows
it.

Signed-off-by: Luca Boccassi <bluca@debian.org>
---
 doc/guides/contributing/vulnerability.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
index b6300252ad..fc60e02e37 100644
--- a/doc/guides/contributing/vulnerability.rst
+++ b/doc/guides/contributing/vulnerability.rst
@@ -170,7 +170,10 @@  The patches fixing the vulnerability are developed and reviewed
 by the security team and
 by elected area experts that agree to maintain confidentiality.
 
-The CVE id and the bug id must be referenced in the patch.
+The CVE id and the bug id must be referenced in the patch if there is no
+embargo, or if there is an embargo, but it will be lifted when the release
+including the patch is published. If the embargo is going to be lifted after the
+release, then the CVE and bug ids must be omitted from the commit message.
 
 Backports to the identified affected versions are done once the fix is ready.