From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 0/1] Gst-plugins-good security update Date: Sat, 26 Nov 2016 14:38:42 -0500 Message-ID: <20161126193842.GA12448@jasmine> References: <87fumehbe5.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="BXVAT5kNtrzKuDFl" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46690) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cAioO-0001Na-Gg for guix-devel@gnu.org; Sat, 26 Nov 2016 14:39:01 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cAioL-0000jk-BB for guix-devel@gnu.org; Sat, 26 Nov 2016 14:39:00 -0500 Received: from out5-smtp.messagingengine.com ([66.111.4.29]:50487) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cAioL-0000j4-4q for guix-devel@gnu.org; Sat, 26 Nov 2016 14:38:57 -0500 Content-Disposition: inline In-Reply-To: <87fumehbe5.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Nov 26, 2016 at 09:51:30AM +0100, Marius Bakke wrote: > Leo Famulari writes: >=20 > > This patch should fix the bugs named here: > > > > http://seclists.org/oss-sec/2016/q4/517 > > > > I copied Debian's approach, which is to take all the recent patches for > > the vulnerable component (the FLIC decoder). > > > > My understanding is that the first two patches fix the CVEs, the 3rd > > fixes an unrelated bug, and the 4th is a total rewrite of the component, > > because "code is terrible, it should be entirely re-written" [0]. > > > > The CVE bug fixes are not split into discrete patches, so it doesn't > > work to make patches for each CVE ID, like we normally do. > > > > Is this approach (concatenating the patches) okay? >=20 > I prefer having them separately, so the upstream commit can be clearly > referenced in the patch header; and they can be reviewed and modified > independently. >=20 > In this instance it's okay, since I just checked out the 1.10 branch and > concatenated the four commits and ended up with the same patch :-) >=20 > That's not to say it should not be allowed. I think this approach is > fine for long patch series, but at only four patches it's not the best > precedent. >=20 > Anyway, thanks for taking care of this, and LGTM! Please push! :-) I split them up and (hopefully) annotated them well enough that readers can follow along. Pushed as 9e46245b89e0f30397f69391a2219a29caa336a2 --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlg55MEACgkQJkb6MLrK fwjpxw/8CG+JqhkA9f/PZQQ060i5gkdE2BO3nU5s+1nCpQk2nG1vjjp5N88G1FYC 7Hb+Xo4WrVZ3xgG5umPncdyF6Ph9IguY184cjXVUfRI5ygbIlFGFozFst1nDs/Hl U2Wy8uFnPj82lwVwvZEHJXVvkbjUEA5jdeLO4gEybUNW2HPoiQqJq8/MlS3Nz2Bm 3LZZVB+9KBp49Qm0nkhtAZi4anlTAJLgXPqOC56++srjaYFwBWQKNDcSIqQTEDws AVyz0M7ixbmXvDUL4v10YIyBpb25ZmJU2q1Yu5n7Ic4K83XSDSHJoiRBL5rL90Er 0GluI4uMj7oZDqenLvwcYEr9rPl/v8yc02HSUwL/ufW71YyiJ07zIkoM522j/IEL ElhCLJSABZTO4Wtex99h5BQY9Y6bOqamcmWk2dF6CeFlgdnGYQQY0Lwh6diTuja+ /BVV5qctTWsiuMJwOGhylI29IwoxGfiFioJ9h58z9hTQLTPWP2djOMNMNdMW8q42 d/ZRsLQSHnrNZPTIAzqQGId5AGLP0/Gku7RN67OKaSY8/bMq/80BqQdfBdfGnDd5 VYR42pt/zv4P10sSUKpq/yiwfzDASnYFfj3ZWT8oV34NshIg1IgPJ1fHAjIBOpnG /YUPYNT5HprkYEDLWecSajmsHs3vypOSq/oxDYDPSMLL2YtWL/8= =Pc5f -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl--