From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41011)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eDH4t-0005Hl-Hj
	for guix-patches@gnu.org; Fri, 10 Nov 2017 16:43:08 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eDH4o-0001O1-IZ
	for guix-patches@gnu.org; Fri, 10 Nov 2017 16:43:07 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:54031)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1eDH4o-0001Nq-Cw
	for guix-patches@gnu.org; Fri, 10 Nov 2017 16:43:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1eDH4o-000735-2H
	for guix-patches@gnu.org; Fri, 10 Nov 2017 16:43:02 -0500
Subject: [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Resent-Message-ID: <handler.29232.D29232.151035014627052@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <98773909c59c0ca327584f7d20ec35eedff74c79.1510251328.git.leo@famulari.name>
	<87a7zvhxq3.fsf@gnu.org> <20171110171738.GC11031@jasmine.lan>
Date: Fri, 10 Nov 2017 22:42:21 +0100
In-Reply-To: <20171110171738.GC11031@jasmine.lan> (Leo Famulari's message of
	"Fri, 10 Nov 2017 12:17:38 -0500")
Message-ID: <87shdllsjm.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 29232-done@debbugs.gnu.org

Hello,

Leo Famulari <leo@famulari.name> skribis:

> Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
> ol' annotated patch files instead.
>
> Fetching the patches like this is too opaque. There's no *easy* way to
> view the patches or figure out where they came from. The upstream
> commits don't mention the CVE ID, and every interested person has to
> re-do the work of corrolating the patch with the ID'd bug.
>
> In practice, I think this extra works means that nobody will ever review
> the patches or check that they correspond to a particular bug. Making
> that easy is worth the extra bytes in our source tree.

True.  I=E2=80=99m more inclined to skim over CVE patches that are inlined =
than
in this case.

> Also I'm not confident that it will be easy to find bit-reproducible
> patches in the future, whereas I think it will be easy to find the QEMU
> tarballs and the patches from our Git repo.

I=E2=80=99m a little bit more confident given that the Gitweb-generated pat=
ches
are merely raw commits, but I get your point.

Thanks!

Ludo=E2=80=99.