[Buildroot] [PATCH 2/5] package/libsndfile: annotate _IGNORE_CVES for the included security patches

Peter Korsgaard peter at korsgaard.com
Thu Feb 20 07:01:08 UTC 2020


>>>>> "Thomas" == Thomas Petazzoni <thomas.petazzoni at bootlin.com> writes:

Hi,

 >> Do you think so? We don't really do it for the other things, E.G. we
 >> simply claim that a specific patch fixes one or more CVEs, without
 >> necessarily providing a lot of details besides the CVE identifier
 >> 
 >> From the CVE identifier you can then go and look up a bunch of these
 >> things, E.G. on the Debian securitytracker or on the NVD website.
 >> 
 >> In a way, this is quite similar to how we claim specific licenses for a
 >> package.

 > Well, it's not a strong opinion, but I believe:

 > # disputed, https://github.com/erikd/libsndfile/issues/398

 > doesn't cost much more than

 > # disputed

 > And it directly tells people reading this .mk file what we mean by
 > "disputed", together with the background information about it.

Fine by me. Do notice that the CVE page directly has this info as well,
so just knowing the CVE identifer will get you to it very fast:

https://nvd.nist.gov/vuln/detail/CVE-2018-13419
https://security-tracker.debian.org/tracker/CVE-2018-13419

-- 
Bye, Peter Korsgaard


More information about the buildroot mailing list