> > We really should write the CVE numbers into the commit messages and
> > the release notes.
>
> I think that would be good.
That requires the CVE number to be available at the time of commit. Not
sure if it'll always be. But if it is, it's certainly a good idea to put
it in.
> > How about a simple webpage that has more or less a table with:
> > CVE-number | present in releases | fixed in releases
> > CVE-number | present in releases | fixed in releases
> > CVE-number | present in releases | fixed in releases
>
> ..and I think we should do this too.
>
> Have to say I'm a bit worried about overloading Tom and
> Bruce, who write most of the security patches and relevant
> release notes.
>
> Anybody else volunteer to maintain the web page?
While I think it would be a good idea for someone on -core to actually
be responsible for such a list, I can certainly create and maintain the
page. With our track record of security issues, it doesn't seem that it
should be all that much work...
//Magnus