Hello everyone, i need some aclaration with some items in the commit message for vbd challenges.
So i’ve readed the template located in https://gitlab.com/fluidattacks/writeups/blob/jpverde/templates/commit-msg-vbd.txt
In this line - discovered vulnerabilities: X by me, Y already in repo, X+Y total.
For what i’ve read it says X is the ACCUMULATED vulnerabilities found by me, Y are the ACCUMULATED vulnerabilities already in the repo. My question here is, If i’ve found 3 vulnerabilities for a system that has 0 vulnerabilities reported before, how do i type this line in the commit message?
PS. I’ve already done 2 MR to this system and the third is the one i’m doing right now
3 by me, 0 already in repo, 3 total.
In case you’ve found 3 vulnerabilities for a ToE that has 0 vulnerabilities found by others
That would be impossible, because the vulnerabilities are considered found “by you” as they are reported so they should be in the repository. I.e., X <= Y + 1 must hold (another check to be done in parsing time).
1 Like
So, lets take away the one i’m doing right now, there is 2 already in the repo found by me, i need to commit the third one, so i should put 1 by me, 2 already in repo, 3 total or as shown in the example by @infinite-loop ? i’m very confused here
I’ve always assumed the
already in repo
does not contain my own solutions, because if it did,
by me
would always be 1.
EDIT:
Actually, I take back what I just said. The reason why I do not include my own solutions in both by me and already in repo once my solutions reach master, is because the total would end up not representing the real number of current solutions in the ToE, as the same solution would be counted twice.
EDIT 2:
Taking into account what @roaring-lamport just said, your commit message should be:
2 by me, 0 already in repo, 2 total.
As the solution you’re currently posting does not count until it gets approved.
It’s funny how this generates confusion even amongst those who designed it.
Thanks to this thread I just found out that the commit template is inconsistent.
It should be how @infinite-loop said, but that would not be consistent with:
# X is the ACCUMULATED number of vulnerabilites in this system discovered by you
# Y is the ACCUMULATED number of vulnerabilites already reported in the repo,
# including those previously reported by you
because in this particular case X would be 3, Y = 2, and so the total would be 5, which is not the total number of vulns found in the ToE.
@blue-snot @infinite-loop your input here would be nice to establish how this should be interpreted once and for all
Actually, someone already reported this, but it seems like he did not create an issue.
# including those previously reported by you
Should be replaced by
# not including yours
Other minor additions should be made for clarification, like explicitly saying that for X, the solution posted in the MR does not count yet.
Already fixing that line.
However
Other minor additions should be made for clarification, like explicitly saying that for X, the solution posted in the MR does not count yet.
Would imply that the first vuln in a new ToE would have 0 everything.
0 by me, 0 already in repo, 0 total.
Do we all agree on that?
Yes, if the toe is officially empty (master doesn’t have a single solution), everything should be 0.