From: Leo Famulari <leo@famulari.name>
To: "Ludovic Courtès" <ludo@gnu.org>
Cc: 29232-done@debbugs.gnu.org
Subject: bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Date: Fri, 10 Nov 2017 12:17:38 -0500 [thread overview]
Message-ID: <20171110171738.GC11031@jasmine.lan> (raw)
In-Reply-To: <87a7zvhxq3.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 2180 bytes --]
On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Courtès wrote:
> Hello,
>
> Leo Famulari <leo@famulari.name> skribis:
>
> > What do you think of fetching the patches like this, instead of copying
> > them into the Guix source tree?
>
> I think it’s OK. If the Gitweb instance disappears, or if it changes
> somehow, hopefully the patch itself will still have the same hash, so we
> can always change to different URL or a local file.
>
> > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> > (qemu)[source]: Use qemu-patch.
>
> […]
>
> > + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> > + "qemu-CVE-2017-15038.patch"
> > + (base32
> > + "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
> > + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> > + "qemu-CVE-2017-15268.patch"
> > + (base32
> > + "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
> > + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> > + "qemu-CVE-2017-15289.patch"
> > + (base32
> > + "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
>
> I trust these commits correspond to these CVEs.
Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
ol' annotated patch files instead.
Fetching the patches like this is too opaque. There's no *easy* way to
view the patches or figure out where they came from. The upstream
commits don't mention the CVE ID, and every interested person has to
re-do the work of corrolating the patch with the ID'd bug.
In practice, I think this extra works means that nobody will ever review
the patches or check that they correspond to a particular bug. Making
that easy is worth the extra bytes in our source tree.
Also I'm not confident that it will be easy to find bit-reproducible
patches in the future, whereas I think it will be easy to find the QEMU
tarballs and the patches from our Git repo.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-11-10 17:18 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-09 18:15 [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289} Leo Famulari
2017-11-09 22:51 ` Ludovic Courtès
2017-11-10 17:17 ` Leo Famulari [this message]
2017-11-10 21:42 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171110171738.GC11031@jasmine.lan \
--to=leo@famulari.name \
--cc=29232-done@debbugs.gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.