[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

Thomas Petazzoni thomas.petazzoni at bootlin.com
Wed Feb 19 22:58:05 UTC 2020


On Wed, 19 Feb 2020 23:06:59 +0100
Peter Korsgaard <peter at korsgaard.com> wrote:

>  > That's the kind of thing I assumed, but perhaps we need to add at least
>  > this link next to the IGNORE_CVES line ?  
> 
> Do you think so? We don't really do it for the other things, E.G. we
> simply claim that a specific patch fixes one or more CVEs, without
> necessarily providing a lot of details besides the CVE identifier
> 
> From the CVE identifier you can then go and look up a bunch of these
> things, E.G. on the Debian securitytracker or on the NVD website.
> 
> In a way, this is quite similar to how we claim specific licenses for a
> package.

Well, it's not a strong opinion, but I believe:

# disputed, https://github.com/erikd/libsndfile/issues/398

doesn't cost much more than

# disputed

And it directly tells people reading this .mk file what we mean by
"disputed", together with the background information about it.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


More information about the buildroot mailing list