What to do about CVE numbers

Posted Oct 7, 2019 15:04 UTC (Mon) by smurf (subscriber, #17840)
In reply to: What to do about CVE numbers by epa
Parent article: What to do about CVE numbers

You can't have a "Partly-Fixes:" tag without a time machine. Often the partiality of the fix isn't known for some time.

What to do about CVE numbers

Posted Oct 10, 2019 11:23 UTC (Thu) by epa (subscriber, #39769) [Link]

Well, the effectiveness of the fix isn't always known for some time either. Some purported fixes for security holes have turned out to be useless or almost useless. But you can record the best known information at the time the commit was made. That could be in English text, or, for easier parsing, with some kind of header format like Fixes. Just as in English there is a difference between "I believe this is a full fix for the hole introduced in commit abc" and "This fixes the bug from commit abc in some but perhaps not all cases", it would be worthwhile to distinguish the two in the parsable header format.

But in fact, your point illustrates that commit messages are not a great place for this information. In git they are immutable. But knowledge (about which commits fix what bugs) changes over time. So it would perhaps be better as a separate database rather than parsing commit messages.