[openssl-users] Should openssl publish the commit #'s that fixed each CVE?

Ethan Rahn ethan.rahn at gmail.com
Thu Jan 26 18:40:15 UTC 2017


When looking a the latest security announcement, something that I notice is
that it's hard to find the actual commits that fixed an issue. If you
search git.openssl.org you can find some of them if they are mentioned in
the change message, but it still requires some active effort.

Would it be a good idea for openssl to publish the commit(s) that fixed
each CVE? It would make it easier to see what changed, which is great for
a.) backporting.
b.) satisfying curiosity of armchair cryptographers.
c.) better assessing an issue.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170126/44afd3e9/attachment.html>

More information about the openssl-users mailing list