[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Wed Feb 19 22:58:05 UTC 2020
On Wed, 19 Feb 2020 23:06:59 +0100
Peter Korsgaard <peter at korsgaard.com> wrote:
> > That's the kind of thing I assumed, but perhaps we need to add at least
> > this link next to the IGNORE_CVES line ?
>
> Do you think so? We don't really do it for the other things, E.G. we
> simply claim that a specific patch fixes one or more CVEs, without
> necessarily providing a lot of details besides the CVE identifier
>
> From the CVE identifier you can then go and look up a bunch of these
> things, E.G. on the Debian securitytracker or on the NVD website.
>
> In a way, this is quite similar to how we claim specific licenses for a
> package.
Well, it's not a strong opinion, but I believe:
# disputed, https://github.com/erikd/libsndfile/issues/398
doesn't cost much more than
# disputed
And it directly tells people reading this .mk file what we mean by
"disputed", together with the background information about it.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list