[PATCH] doc: relax requirement on commit messages of security fixes

luca.boccassi at gmail.com luca.boccassi at gmail.com
Thu Mar 10 18:59:47 CET 2022

Previous message (by thread): [PATCH v3] app/testpmd: fix show RSS RETA on Windows
Next message (by thread): [PATCH] bpf: fix build with some libpcap version on FreeBSD
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Luca Boccassi <bluca at debian.org>

Allow more flexibility with embargo lifting by not requiring
mentions of CVEs in commit messages if the lift date allows
it.

Signed-off-by: Luca Boccassi <bluca at debian.org>
---
 doc/guides/contributing/vulnerability.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/doc/guides/contributing/vulnerability.rst b/doc/guides/contributing/vulnerability.rst
index b6300252ad..fc60e02e37 100644
--- a/doc/guides/contributing/vulnerability.rst
+++ b/doc/guides/contributing/vulnerability.rst
@@ -170,7 +170,10 @@ The patches fixing the vulnerability are developed and reviewed
 by the security team and
 by elected area experts that agree to maintain confidentiality.
 
-The CVE id and the bug id must be referenced in the patch.
+The CVE id and the bug id must be referenced in the patch if there is no
+embargo, or if there is an embargo, but it will be lifted when the release
+including the patch is published. If the embargo is going to be lifted after the
+release, then the CVE and bug ids must be omitted from the commit message.
 
 Backports to the identified affected versions are done once the fix is ready.
 
-- 
2.34.1

Previous message (by thread): [PATCH v3] app/testpmd: fix show RSS RETA on Windows
Next message (by thread): [PATCH] bpf: fix build with some libpcap version on FreeBSD
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list