CVE-like management of safety critical fixes

Hi All,

We discussed today on the dev call the need for a CVE-like tracking of safety critical fixes. The idea is to have a well-defined process to escalate anything that is safety critical and allow users of PX4 to verify they have no exposure against known significant issues.

If you are not familiar with the CVE process, here is their FAQ: https://cve.mitre.org/about/faqs.html

This might be a bit too heavy for us, so I propose to start with something simple:

  • Add a CVE or alike tag on Github issues
  • Track those issues in a project
  • Some level of manual check or scripting that the last stable release has all fixes merged

I and Daniel are both interested to push this, who else wants to contribute?

I think there are two parts to this, both of which are required for either to have real impact:

  1. Users need to be able to check whether they are affected by an announced bug. Whether this is by mailing list, subscription or some other system, a temporarily grounded fleet is better than lost hardware or damage liability.

  2. Users need to have access to stable versions that have the critical bugfixes backported, else they will keep private branches with their bugfixes on it instead, leading to fragmentation, since they won’t be able to justify upgrading to latest releases.

I think we should start with 1. , using the simplest system we can think of which isn’t too painful. Perhaps a mailing list, and an email template which should be filled for critical issues explaining the scope and who is affected. If there are subscribers and this is successful, it can have some infrastructure added, eg. a bot that looks for tags and requests filling a google form, or more.

Item 2. is more of a maintenance issue, I think this is already a medium-term goal, correct?