From ff060579a395fe6ccff2ce5fd4fa9fab740761be Mon Sep 17 00:00:00 2001 From: Frederik Rietdijk Date: Wed, 30 Oct 2019 11:41:17 +0100 Subject: [PATCH] nixpkgs manual: add section on submitting security fixes --- doc/contributing/submitting-changes.xml | 27 +++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/doc/contributing/submitting-changes.xml b/doc/contributing/submitting-changes.xml index 14155021f614..6a8b4e0b249e 100644 --- a/doc/contributing/submitting-changes.xml +++ b/doc/contributing/submitting-changes.xml @@ -228,6 +228,33 @@ Additional information. +
+ Submitting security fixes + + + Security fixes are submitted in the same way as other changes and thus the same guidelines apply. + + + + If the security fix comes in the form of a patch and a CVE is available, then the name of the patch should be the CVE identifier, so e.g. CVE-2019-13636.patch in the case of a patch that is included in the Nixpkgs tree. If a patch is fetched the name needs to be set as well, e.g.: + + + + (fetchpatch { + name = "CVE-2019-11068.patch"; + url = "https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6.patch"; + sha256 = "0pkpb4837km15zgg6h57bncp66d5lwrlvkr73h0lanywq7zrwhj8"; + }) + + + + If a security fix applies to both master and a stable release then, similar to regular changes, they are preferably delivered via master first and cherry-picked to the release branch. + + + + Critical security fixes may by-pass the staging branches and be delivered directly to release branches such as master and release-*. + +
Pull Request Template