From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46390) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eDCwQ-0005iZ-Ic for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eDCwM-0005Wt-JF for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:53944) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eDCwM-0005Wj-F7 for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1eDCwM-0000lg-9Z for guix-patches@gnu.org; Fri, 10 Nov 2017 12:18:02 -0500 Subject: bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}. Resent-To: guix-patches@gnu.org Resent-Message-ID: Date: Fri, 10 Nov 2017 12:17:38 -0500 From: Leo Famulari Message-ID: <20171110171738.GC11031@jasmine.lan> References: <98773909c59c0ca327584f7d20ec35eedff74c79.1510251328.git.leo@famulari.name> <87a7zvhxq3.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="eHhjakXzOLJAF9wJ" Content-Disposition: inline In-Reply-To: <87a7zvhxq3.fsf@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 29232-done@debbugs.gnu.org --eHhjakXzOLJAF9wJ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Court=C3=A8s wrote: > Hello, >=20 > Leo Famulari skribis: >=20 > > What do you think of fetching the patches like this, instead of copying > > them into the Guix source tree? >=20 > I think it=E2=80=99s OK. If the Gitweb instance disappears, or if it cha= nges > somehow, hopefully the patch itself will still have the same hash, so we > can always change to different URL or a local file. >=20 > > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS. > > (qemu)[source]: Use qemu-patch. >=20 > [=E2=80=A6] >=20 > > + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6" > > + "qemu-CVE-2017-15038.patch" > > + (base32 > > + "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9ir= fkhw399q")) > > + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493" > > + "qemu-CVE-2017-15268.patch" > > + (base32 > > + "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q= 5idvdp79")) > > + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51" > > + "qemu-CVE-2017-15289.patch" > > + (base32 > > + "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv1= 85ma4z8d")))) >=20 > I trust these commits correspond to these CVEs. Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good ol' annotated patch files instead. Fetching the patches like this is too opaque. There's no *easy* way to view the patches or figure out where they came from. The upstream commits don't mention the CVE ID, and every interested person has to re-do the work of corrolating the patch with the ID'd bug. In practice, I think this extra works means that nobody will ever review the patches or check that they correspond to a particular bug. Making that easy is worth the extra bytes in our source tree. Also I'm not confident that it will be easy to find bit-reproducible patches in the future, whereas I think it will be easy to find the QEMU tarballs and the patches from our Git repo. --eHhjakXzOLJAF9wJ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAloF3zIACgkQJkb6MLrK fwiZ2A//aGfpbYVczDDFWNLXveiyiqC2OmwFA1dkurlBe72k5pcbOOP5/P6Ec2hC KX2xOC3RylIDZCLA2tqwOol8yCeKlMMODCJp4DgU1WssgG4w3bj0jFxNHVr+tMF0 GTcTjFCoAbry4WhJbfUWjgueBsuVEVCB/yRzUlXKojHokbmmVOU/Mf51QElgAGHZ KqFRtI7t+ReA1pFjXF8kaYJ7LE6XL6pOcZuV6rzOF7gdAIp+cv/qpOxao06OOme6 SJSNTZOQO+GaatWygZ/QNqp/wnLQnI+/pPRmmjBF6oFWdpQIeFtex+T2Rfp5XBjA MygbQxHXV6znnhEnjn17ao/nYK5lCK5NkU28FtwQAdC9qZ6ezjZd/QbVaF5j6Bh2 Zf3OHcrRyPWM3j5re8Oe9fTg/iqSUUQtfRkA0hJPJrr009sL3k5XLK1TaZ8YUktN TRK1oiuHZwKJqScIRMRVemxO2zxdvSBzVt2UGljjI1Xl63Z3gFFCH5nw/2yP+82E lLHugNzp6GY9IOofJtZDcMv0T6sa3r3topzwzB3iU0pMkiqCkF5OB6+UjuU9evNK 6jL8j5zbqAFjdjyoS6bOd/ADGtXkKArQE2p0mxdZzYdFEZV6IbZpnLilU79HUDbl QudMFel/YBTgmrTgizIlxaqdOJtGpEeWok/oJ2oK/yKgi07czbA= =h12n -----END PGP SIGNATURE----- --eHhjakXzOLJAF9wJ--