Re: CVE-check failing on world with meta-openembedded: diff.gz file
On Tue, Apr 26, 2022 at 6:09 PM Khem Raj <raj.khem@...> wrote:
Adding Ross, Richard and Steve.
I'm wondering if it makes sense to consider .diff.gz (or .patch.gz) files as patches for
cve-check. They basically come directly from 3rd parties and it is quite unlikely to expect
them to keep the CVE: tag. All the pieces of documentation I can find mention also only
.patch files for CVEs, and not .patch.gz.
This is tempting to remove the .gz handling here (for the cve-check) in my opinion.
Also, since the commit f5f97d33a1703d75b9fd9760f2c7767081538e00, cve-check
depends only on do_fetch.
Any further opinions?