* [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
@ 2017-11-09 18:15 Leo Famulari
2017-11-09 22:51 ` Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2017-11-09 18:15 UTC (permalink / raw)
To: 29232
What do you think of fetching the patches like this, instead of copying
them into the Guix source tree?
* gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
(qemu)[source]: Use qemu-patch.
---
gnu/packages/virtualization.scm | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 14b1dfbe0..2a2f41626 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -69,7 +69,7 @@
(origin
(method url-fetch)
(uri (string-append
- "http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h="
+ "https://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h="
commit))
(sha256 sha256)
(file-name file-name)))
@@ -78,13 +78,28 @@
(package
(name "qemu")
(version "2.10.1")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://download.qemu.org/qemu-"
- version ".tar.xz"))
- (sha256
- (base32
- "1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://download.qemu.org/qemu-"
+ version ".tar.xz"))
+ (patches
+ (list
+ (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
+ "qemu-CVE-2017-15038.patch"
+ (base32
+ "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
+ (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
+ "qemu-CVE-2017-15268.patch"
+ (base32
+ "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
+ (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
+ "qemu-CVE-2017-15289.patch"
+ (base32
+ "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
+ (sha256
+ (base32
+ "1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
--
2.15.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
2017-11-09 18:15 [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289} Leo Famulari
@ 2017-11-09 22:51 ` Ludovic Courtès
2017-11-10 17:17 ` bug#29232: " Leo Famulari
0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2017-11-09 22:51 UTC (permalink / raw)
To: Leo Famulari; +Cc: 29232
Hello,
Leo Famulari <leo@famulari.name> skribis:
> What do you think of fetching the patches like this, instead of copying
> them into the Guix source tree?
I think it’s OK. If the Gitweb instance disappears, or if it changes
somehow, hopefully the patch itself will still have the same hash, so we
can always change to different URL or a local file.
> * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> (qemu)[source]: Use qemu-patch.
[…]
> + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> + "qemu-CVE-2017-15038.patch"
> + (base32
> + "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
> + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> + "qemu-CVE-2017-15268.patch"
> + (base32
> + "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
> + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> + "qemu-CVE-2017-15289.patch"
> + (base32
> + "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
I trust these commits correspond to these CVEs.
Thanks,
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
* bug#29232: [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
2017-11-09 22:51 ` Ludovic Courtès
@ 2017-11-10 17:17 ` Leo Famulari
2017-11-10 21:42 ` [bug#29232] " Ludovic Courtès
0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2017-11-10 17:17 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: 29232-done
[-- Attachment #1: Type: text/plain, Size: 2180 bytes --]
On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Courtès wrote:
> Hello,
>
> Leo Famulari <leo@famulari.name> skribis:
>
> > What do you think of fetching the patches like this, instead of copying
> > them into the Guix source tree?
>
> I think it’s OK. If the Gitweb instance disappears, or if it changes
> somehow, hopefully the patch itself will still have the same hash, so we
> can always change to different URL or a local file.
>
> > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> > (qemu)[source]: Use qemu-patch.
>
> […]
>
> > + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> > + "qemu-CVE-2017-15038.patch"
> > + (base32
> > + "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
> > + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> > + "qemu-CVE-2017-15268.patch"
> > + (base32
> > + "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
> > + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> > + "qemu-CVE-2017-15289.patch"
> > + (base32
> > + "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
>
> I trust these commits correspond to these CVEs.
Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
ol' annotated patch files instead.
Fetching the patches like this is too opaque. There's no *easy* way to
view the patches or figure out where they came from. The upstream
commits don't mention the CVE ID, and every interested person has to
re-do the work of corrolating the patch with the ID'd bug.
In practice, I think this extra works means that nobody will ever review
the patches or check that they correspond to a particular bug. Making
that easy is worth the extra bytes in our source tree.
Also I'm not confident that it will be easy to find bit-reproducible
patches in the future, whereas I think it will be easy to find the QEMU
tarballs and the patches from our Git repo.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
2017-11-10 17:17 ` bug#29232: " Leo Famulari
@ 2017-11-10 21:42 ` Ludovic Courtès
0 siblings, 0 replies; 4+ messages in thread
From: Ludovic Courtès @ 2017-11-10 21:42 UTC (permalink / raw)
To: Leo Famulari; +Cc: 29232-done
Hello,
Leo Famulari <leo@famulari.name> skribis:
> Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
> ol' annotated patch files instead.
>
> Fetching the patches like this is too opaque. There's no *easy* way to
> view the patches or figure out where they came from. The upstream
> commits don't mention the CVE ID, and every interested person has to
> re-do the work of corrolating the patch with the ID'd bug.
>
> In practice, I think this extra works means that nobody will ever review
> the patches or check that they correspond to a particular bug. Making
> that easy is worth the extra bytes in our source tree.
True. I’m more inclined to skim over CVE patches that are inlined than
in this case.
> Also I'm not confident that it will be easy to find bit-reproducible
> patches in the future, whereas I think it will be easy to find the QEMU
> tarballs and the patches from our Git repo.
I’m a little bit more confident given that the Gitweb-generated patches
are merely raw commits, but I get your point.
Thanks!
Ludo’.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-11-10 21:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-09 18:15 [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289} Leo Famulari
2017-11-09 22:51 ` Ludovic Courtès
2017-11-10 17:17 ` bug#29232: " Leo Famulari
2017-11-10 21:42 ` [bug#29232] " Ludovic Courtès
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.