launchpad-reviewers team mailing list archive

Thread
Date

Re: [Merge] ~enriqueesanchz/launchpad:add-metadata-cve-model into launchpad:master

To: mp+493451@xxxxxxxxxxxxxxxxxx
From: Ines Almeida <mp+493451@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Sep 2025 10:50:05 -0000
In-reply-to: <175915406880.1178548.13141007800635190210.launchpad@scripts-bzrsyncd.lp.internal>
Reply-to: mp+493451@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx


Diff comments:

> diff --git a/lib/lp/bugs/interfaces/cve.py b/lib/lp/bugs/interfaces/cve.py
> index 4efd60c..7f50341 100644
> --- a/lib/lp/bugs/interfaces/cve.py
> +++ b/lib/lp/bugs/interfaces/cve.py
> @@ -180,6 +180,18 @@ class ICve(Interface):
>          as_of="devel",
>      )
>  
> +    metadata = exported(
> +        Dict(
> +            title=_("metadata"),
> +            description=_("CVE metadata."),
> +            key_type=Text(),
> +            value_type=Text(),
> +            required=False,
> +            readonly=False,

Do we want users to update these fields though? Seems like the sort of details that shouldn't be updated by hand - i.e., anyone could read as long as the CVE is public, but only admins could write.
Indeed description is not readonly, but I find that odd... Afaik there is no restrictions on CVEs, so is it that any person would be able to change this field? I'm not comfortable with that. Can you investigate what restrictions there are that would make it OK to make this not be readonly?

> +        ),
> +        as_of="devel",
> +    )
> +
>      def createReference(source, content, url=None):
>          """Create a new CveReference for this CVE."""
>  


-- 
https://code.launchpad.net/~enriqueesanchz/launchpad/+git/launchpad/+merge/493451
Your team Launchpad code reviewers is requested to review the proposed merge of ~enriqueesanchz/launchpad:add-metadata-cve-model into launchpad:master.

References

[Merge] ~enriqueesanchz/launchpad:add-metadata-cve-model into launchpad:master
From: Enrique Sánchez, 2025-09-29