[yocto] 2.2 release note material

[akuster808]

On 10/20/16 12:32 PM, Paul Eggleton wrote:
> Hi Armin,
> 
> On Thu, 20 Oct 2016 08:26:37 akuster808 wrote:
>> Regarding the CVE list. I see some info is based on what was in the
>> commit messages for package updates. I suspect the list would be bigger
>> because of general package updates. Should the release notes make note
>> of that?
>>   Should the community in general provide more info in the commits to
>> help with release notes if that is a source used for that process?
> 
> We really should include that - unfortunately I didn't have time to track down 
> all of those, assembling this list took several days of grinding through the 
> commits as it was. 

This is why I bring it up. We tend to take the easy route when
submitting changes not understanding the work it may cause someone else
down stream. I appreciate your effort in this task.


I did check upstream for some of the upgrades where a CVE
> patch was removed just to verify that fix was indeed included in the upgrade, 
> and for those I collected any others that were listed as having been fixed, 
> but I wasn't really systematic about that.
> 
> Do you know if there's any central resource we can use to find out which 
> versions of upstream software included which CVE fixes, 

There are but I am not sure how complete they are. Its not uncommon for
the NVD to have "reserved" listed for something that has been out for a
while. Let me look into it.

or is it perhaps time
> we started gathering links to the changelogs for each recipe? (Maybe we should 
> do the latter anyway.)

Some packages use a common link for all changes.

I think people just need to be aware we use the commit messages to help
with release notes. I am not proposing using a keyword in the commit
messages that we can suck in with a tool to help create the release
notes. That would just be silly.

- armin
> 
> Cheers,
> Paul
>