diff mbox series

doc: relax requirement on commit messages of security fixes

Message ID	20220310175947.273850-1-luca.boccassi@gmail.com (mailing list archive)
State	Accepted, archived
Delegated to:	David Marchand
Headers	From: luca.boccassi@gmail.com To: dev@dpdk.org Cc: thomas@monjalon.net, maxime.coquelin@redhat.com, david.marchand@redhat.com, ktraynor@redhat.com, Luca Boccassi <bluca@debian.org> Subject: [PATCH] doc: relax requirement on commit messages of security fixes Date: Thu, 10 Mar 2022 17:59:47 +0000 Message-Id: <20220310175947.273850-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dev-bounces@dpdk.org
Series	doc: relax requirement on commit messages of security fixes \| doc: relax requirement on commit messages of security fixes

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/github-robot: build	success	github build: passed
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-aarch64-unit-testing	success	Testing PASS
ci/iol-x86_64-compile-testing	success	Testing PASS
ci/iol-x86_64-unit-testing	success	Testing PASS
ci/iol-aarch64-compile-testing	success	Testing PASS
ci/iol-abi-testing	success	Testing PASS

Commit Message

Luca Boccassi March 10, 2022, 5:59 p.m. UTC

From: Luca Boccassi <bluca@debian.org>

Allow more flexibility with embargo lifting by not requiring
mentions of CVEs in commit messages if the lift date allows
it.

Signed-off-by: Luca Boccassi <bluca@debian.org>
---
 doc/guides/contributing/vulnerability.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Thomas Monjalon March 31, 2023, 10:34 a.m. UTC | #1

We missed this patch, there was no comment.
Please review.

10/03/2022 18:59, luca.boccassi@gmail.com:
> From: Luca Boccassi <bluca@debian.org>
> 
> Allow more flexibility with embargo lifting by not requiring
> mentions of CVEs in commit messages if the lift date allows
> it.
> 
> Signed-off-by: Luca Boccassi <bluca@debian.org>
> ---
> -The CVE id and the bug id must be referenced in the patch.
> +The CVE id and the bug id must be referenced in the patch if there is no
> +embargo, or if there is an embargo, but it will be lifted when the release
> +including the patch is published. If the embargo is going to be lifted after the
> +release, then the CVE and bug ids must be omitted from the commit message.

Maxime Coquelin March 31, 2023, 10:37 a.m. UTC | #2

Indeed!

On 3/31/23 12:34, Thomas Monjalon wrote:
> We missed this patch, there was no comment.
> Please review.
> 
> 10/03/2022 18:59, luca.boccassi@gmail.com:
>> From: Luca Boccassi <bluca@debian.org>
>>
>> Allow more flexibility with embargo lifting by not requiring
>> mentions of CVEs in commit messages if the lift date allows
>> it.
>>
>> Signed-off-by: Luca Boccassi <bluca@debian.org>
>> ---
>> -The CVE id and the bug id must be referenced in the patch.
>> +The CVE id and the bug id must be referenced in the patch if there is no
>> +embargo, or if there is an embargo, but it will be lifted when the release
>> +including the patch is published. If the embargo is going to be lifted after the
>> +release, then the CVE and bug ids must be omitted from the commit message.
> 
> 

Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Thanks,
Maxime

Stephen Hemminger July 5, 2023, 11:07 p.m. UTC | #3

On Fri, 31 Mar 2023 12:37:40 +0200
Maxime Coquelin <maxime.coquelin@redhat.com> wrote:

> Indeed!
> 
> On 3/31/23 12:34, Thomas Monjalon wrote:
> > We missed this patch, there was no comment.
> > Please review.
> > 
> > 10/03/2022 18:59, luca.boccassi@gmail.com:  
> >> From: Luca Boccassi <bluca@debian.org>
> >>
> >> Allow more flexibility with embargo lifting by not requiring
> >> mentions of CVEs in commit messages if the lift date allows
> >> it.
> >>
> >> Signed-off-by: Luca Boccassi <bluca@debian.org>
> >> ---
> >> -The CVE id and the bug id must be referenced in the patch.
> >> +The CVE id and the bug id must be referenced in the patch if there is no
> >> +embargo, or if there is an embargo, but it will be lifted when the release
> >> +including the patch is published. If the embargo is going to be lifted after the
> >> +release, then the CVE and bug ids must be omitted from the commit message.  
> > 
> >   
> 
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Acked-by: Stephen Hemminger <stephen@networkplumber.org>

David Marchand Nov. 24, 2023, 1:53 p.m. UTC | #4

On Thu, Mar 10, 2022 at 7:00 PM <luca.boccassi@gmail.com> wrote:
>
> From: Luca Boccassi <bluca@debian.org>
>
> Allow more flexibility with embargo lifting by not requiring
> mentions of CVEs in commit messages if the lift date allows
> it.
>
> Signed-off-by: Luca Boccassi <bluca@debian.org>

Applied, thanks Luca.

diff mbox series

Patch

diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
index b6300252ad..fc60e02e37 100644
--- a/doc/guides/contributing/vulnerability.rst
+++ b/doc/guides/contributing/vulnerability.rst
@@ -170,7 +170,10 @@  The patches fixing the vulnerability are developed and reviewed
 by the security team and
 by elected area experts that agree to maintain confidentiality.
 
-The CVE id and the bug id must be referenced in the patch.
+The CVE id and the bug id must be referenced in the patch if there is no
+embargo, or if there is an embargo, but it will be lifted when the release
+including the patch is published. If the embargo is going to be lifted after the
+release, then the CVE and bug ids must be omitted from the commit message.
 
 Backports to the identified affected versions are done once the fix is ready.