Greetings all. I have a concept which I'd like to run by you all. Typically, new releases are issued by upstream to address them. However, there are times where the package is patched prior to the new release. Of course, this is great work by the devs. Myself, I'd like to document that the CVE's have been addressed on the CVE-2014 wiki page. I'm sure the devs don't have time to enter the CVE entries onto the wiki page themselves; after all, this is why the CVE Monitoring Team was assembled. I'd be happy to enter them myself. I'm wondering if there is a mechanism by which a patch could be marked as addressing a CVE. And once it is marked as addressing a CVE, is there any mechanism which could be made to automatically send an email to arch-security announcing this? A one line email stating the package name and the CVE number would be enough for me to collect any information and add the entry to the CVE-2014 wiki page. If I were more familiar with the process, I would be happy to write such a script myself. Should someone in the know point in the right direction, I'll take the initiative and begin the process. - bwayne