[yocto] 2.2 release note material
Paul Eggleton
paul.eggleton at intel.com
Thu Oct 20 12:32:58 PDT 2016
Hi Armin,
On Thu, 20 Oct 2016 08:26:37 akuster808 wrote:
> Regarding the CVE list. I see some info is based on what was in the
> commit messages for package updates. I suspect the list would be bigger
> because of general package updates. Should the release notes make note
> of that?
> Should the community in general provide more info in the commits to
> help with release notes if that is a source used for that process?
We really should include that - unfortunately I didn't have time to track down
all of those, assembling this list took several days of grinding through the
commits as it was. I did check upstream for some of the upgrades where a CVE
patch was removed just to verify that fix was indeed included in the upgrade,
and for those I collected any others that were listed as having been fixed,
but I wasn't really systematic about that.
Do you know if there's any central resource we can use to find out which
versions of upstream software included which CVE fixes, or is it perhaps time
we started gathering links to the changelogs for each recipe? (Maybe we should
do the latter anyway.)
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the yocto
mailing list