From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46390)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eDCwQ-0005iZ-Ic
	for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:12 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eDCwM-0005Wt-JF
	for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:06 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:53944)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eDCwM-0005Wj-F7
	for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eDCwM-0000lg-9Z
	for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:02 -0500
Subject: bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Resent-To: guix-patches@gnu.org
Resent-Message-ID: <handler.29232.D29232.15103342622918.done@debbugs.gnu.org>
Date: Fri, 10 Nov 2017 12:17:38 -0500
From: Leo Famulari <leo@famulari.name>
Message-ID: <20171110171738.GC11031@jasmine.lan>
References: <98773909c59c0ca327584f7d20ec35eedff74c79.1510251328.git.leo@famulari.name>
	<87a7zvhxq3.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="eHhjakXzOLJAF9wJ"
Content-Disposition: inline
In-Reply-To: <87a7zvhxq3.fsf@gnu.org>
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 29232-done@debbugs.gnu.org


--eHhjakXzOLJAF9wJ
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Court=C3=A8s wrote:
> Hello,
>=20
> Leo Famulari <leo@famulari.name> skribis:
>=20
> > What do you think of fetching the patches like this, instead of copying
> > them into the Guix source tree?
>=20
> I think it=E2=80=99s OK.  If the Gitweb instance disappears, or if it cha=
nges
> somehow, hopefully the patch itself will still have the same hash, so we
> can always change to different URL or a local file.
>=20
> > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> > (qemu)[source]: Use qemu-patch.
>=20
> [=E2=80=A6]
>=20
> > +            (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> > +                        "qemu-CVE-2017-15038.patch"
> > +                        (base32
> > +                         "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9ir=
fkhw399q"))
> > +            (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> > +                        "qemu-CVE-2017-15268.patch"
> > +                        (base32
> > +                         "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q=
5idvdp79"))
> > +            (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> > +                        "qemu-CVE-2017-15289.patch"
> > +                        (base32
> > +                         "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv1=
85ma4z8d"))))
>=20
> I trust these commits correspond to these CVEs.

Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
ol' annotated patch files instead.

Fetching the patches like this is too opaque. There's no *easy* way to
view the patches or figure out where they came from. The upstream
commits don't mention the CVE ID, and every interested person has to
re-do the work of corrolating the patch with the ID'd bug.

In practice, I think this extra works means that nobody will ever review
the patches or check that they correspond to a particular bug. Making
that easy is worth the extra bytes in our source tree.

Also I'm not confident that it will be easy to find bit-reproducible
patches in the future, whereas I think it will be easy to find the QEMU
tarballs and the patches from our Git repo.

--eHhjakXzOLJAF9wJ
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAloF3zIACgkQJkb6MLrK
fwiZ2A//aGfpbYVczDDFWNLXveiyiqC2OmwFA1dkurlBe72k5pcbOOP5/P6Ec2hC
KX2xOC3RylIDZCLA2tqwOol8yCeKlMMODCJp4DgU1WssgG4w3bj0jFxNHVr+tMF0
GTcTjFCoAbry4WhJbfUWjgueBsuVEVCB/yRzUlXKojHokbmmVOU/Mf51QElgAGHZ
KqFRtI7t+ReA1pFjXF8kaYJ7LE6XL6pOcZuV6rzOF7gdAIp+cv/qpOxao06OOme6
SJSNTZOQO+GaatWygZ/QNqp/wnLQnI+/pPRmmjBF6oFWdpQIeFtex+T2Rfp5XBjA
MygbQxHXV6znnhEnjn17ao/nYK5lCK5NkU28FtwQAdC9qZ6ezjZd/QbVaF5j6Bh2
Zf3OHcrRyPWM3j5re8Oe9fTg/iqSUUQtfRkA0hJPJrr009sL3k5XLK1TaZ8YUktN
TRK1oiuHZwKJqScIRMRVemxO2zxdvSBzVt2UGljjI1Xl63Z3gFFCH5nw/2yP+82E
lLHugNzp6GY9IOofJtZDcMv0T6sa3r3topzwzB3iU0pMkiqCkF5OB6+UjuU9evNK
6jL8j5zbqAFjdjyoS6bOd/ADGtXkKArQE2p0mxdZzYdFEZV6IbZpnLilU79HUDbl
QudMFel/YBTgmrTgizIlxaqdOJtGpEeWok/oJ2oK/yKgi07czbA=
=h12n
-----END PGP SIGNATURE-----

--eHhjakXzOLJAF9wJ--