[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] Fix crash when multiple event callbacks were registered



On Wed, Jul 10, 2013 at 08:11:14AM -0600, Eric Blake wrote:
> On 07/10/2013 05:02 AM, Daniel P. Berrange wrote:
> > On Wed, Jul 10, 2013 at 12:59:48PM +0200, Ján Tomko wrote:
> >> CVE-2013-2230
> > 
> > This should be in the subject line so it is more visible.
> 
> Oh well, it was pushed without the subject line change.  But I noticed
> that DV had added a signed tag to our previous CVE (2013-2218, just
> before 1.1.0), and that is also easily visible if you use 'tig', so I've
> just finished creating lots of other signed tags for CVE fixes over the
> last three years:
> 
> CVE-2011-1146   CVE-2012-3411   CVE-2013-0170   CVE-2013-2230
> CVE-2011-1486   CVE-2012-3445   CVE-2013-1962
> CVE-2011-2178   CVE-2012-4423   CVE-2013-2218
> 
> Since signed tags can be added after the fact, they are a nice way to
> consistently mark bug fixes, regardless of whether the commit itself was
> aware of a CVE number (for example, some of those tags are on commits
> that were made public long before a CVE was assigned, because no one
> realized the exploit until after the patch was pushed).

  +1 I think at this point it is the best way.

The rationale too, is that sometimes we may commit a fix, and the CVE
about it gets assigned later. With tags we can always add that extra
information. So let's try to be consistent and always use git tags
in the future. Those tags should be PGP signed (as you did :)

  Thanks for doing the history work :-)

Daniel

-- 
Daniel Veillard      | Open Source and Standards, Red Hat
veillard redhat com  | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
http://veillard.com/ | virtualization library  http://libvirt.org/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]