nixpkgs manual: add section on submitting security fixes
This commit is contained in:
parent
11e98079ba
commit
ff060579a3
@ -228,6 +228,33 @@ Additional information.
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
<section xml:id="submitting-changes-submitting-security-fixes">
|
||||
<title>Submitting security fixes</title>
|
||||
|
||||
<para>
|
||||
Security fixes are submitted in the same way as other changes and thus the same guidelines apply.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
If the security fix comes in the form of a patch and a CVE is available, then the name of the patch should be the CVE identifier, so e.g. <literal>CVE-2019-13636.patch</literal> in the case of a patch that is included in the Nixpkgs tree. If a patch is fetched the name needs to be set as well, e.g.:
|
||||
</para>
|
||||
|
||||
<programlisting>
|
||||
(fetchpatch {
|
||||
name = "CVE-2019-11068.patch";
|
||||
url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch";
|
||||
sha256 = "0pkpb4837km15zgg6h57bncp66d5lwrlvkr73h0lanywq7zrwhj8";
|
||||
})
|
||||
</programlisting>
|
||||
|
||||
<para>
|
||||
If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as <literal>master</literal> and <literal>release-*</literal>.
|
||||
</para>
|
||||
</section>
|
||||
<section xml:id="submitting-changes-pull-request-template">
|
||||
<title>Pull Request Template</title>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user