[LEDE-DEV] [RFC] adding CPE IDs to package Makefiles

Alexander Couzens lynxis at fe80.eu
Tue Oct 3 15:04:17 PDT 2017


Hi Jo,

thanks for your mail!

On Sun, 1 Oct 2017 14:43:03 +0200
Jo-Philipp Wich <jo at mein.io> wrote:

> FORMAT
> 
> The proposed format for adding CPE IDs to Makefiles would be a new
> variable called "PKG_CPE" which is set to the corresponding ID of the
> package. Multiple ids may be specified, separated by space.
I would like to add "PKG_CPE:=unassigned" for packages which don't
have a CPE.

> - For any security fixes made to a package after the cut-off date
>   require developers to mention the fixed CVEs in either the commit
>   subject or the commit message, for example:
I think this is easy if we add patches which fixes a CVE. But I'm not
sure, if we can manage to track all CVEs fixed by a commit when (e.g.
when updating to a new version). But that shouldn't be a problem if
tracking via $(PKG_CPE):$(PKG_VERSION) works.

How about extending `make check` to throw an error for a missing
PKG_CPE?

Best,
lynxis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/lede-dev/attachments/20171004/69b626d2/attachment.sig>


More information about the Lede-dev mailing list