--- Begin Message ---
|
Subject: |
[PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}. |
|
Date: |
Thu, 9 Nov 2017 13:15:53 -0500 |
What do you think of fetching the patches like this, instead of copying
them into the Guix source tree?
* gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
(qemu)[source]: Use qemu-patch.
---
gnu/packages/virtualization.scm | 31 +++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 14b1dfbe0..2a2f41626 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -69,7 +69,7 @@
(origin
(method url-fetch)
(uri (string-append
- "http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=";
+ "https://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=";
commit))
(sha256 sha256)
(file-name file-name)))
@@ -78,13 +78,28 @@
(package
(name "qemu")
(version "2.10.1")
- (source (origin
- (method url-fetch)
- (uri (string-append "https://download.qemu.org/qemu-";
- version ".tar.xz"))
- (sha256
- (base32
- "1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
+ (source
+ (origin
+ (method url-fetch)
+ (uri (string-append "https://download.qemu.org/qemu-";
+ version ".tar.xz"))
+ (patches
+ (list
+ (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
+ "qemu-CVE-2017-15038.patch"
+ (base32
+
"0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
+ (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
+ "qemu-CVE-2017-15268.patch"
+ (base32
+
"1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
+ (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
+ "qemu-CVE-2017-15289.patch"
+ (base32
+
"1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
+ (sha256
+ (base32
+ "1ahwl7r18iw2ds0q3c51nlivqsan9hcgnc8bbf9pv366iy81mm8x"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
--
2.15.0
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: [bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}. |
|
Date: |
Fri, 10 Nov 2017 12:17:38 -0500 |
|
User-agent: |
Mutt/1.9.1 (2017-09-22) |
On Thu, Nov 09, 2017 at 11:51:48PM +0100, Ludovic Courtès wrote:
> Hello,
>
> Leo Famulari <address@hidden> skribis:
>
> > What do you think of fetching the patches like this, instead of copying
> > them into the Guix source tree?
>
> I think it’s OK. If the Gitweb instance disappears, or if it changes
> somehow, hopefully the patch itself will still have the same hash, so we
> can always change to different URL or a local file.
>
> > * gnu/packages/virtualization.scm (qemu-patch): Use HTTPS.
> > (qemu)[source]: Use qemu-patch.
>
> […]
>
> > + (qemu-patch "7bd92756303f2158a68d5166264dc30139b813b6"
> > + "qemu-CVE-2017-15038.patch"
> > + (base32
> > +
> > "0wpgf8ivjdbaihf2l7720h1fydh7kdl36wj2nchjd9irfkhw399q"))
> > + (qemu-patch "a7b20a8efa28e5f22c26c06cd06c2f12bc863493"
> > + "qemu-CVE-2017-15268.patch"
> > + (base32
> > +
> > "1adhwj91pmgbmdvyrkvslbfsyz7l00xdrr6vzps6s58q5idvdp79"))
> > + (qemu-patch "eb38e1bc3740725ca29a535351de94107ec58d51"
> > + "qemu-CVE-2017-15289.patch"
> > + (base32
> > +
> > "1zshrlzbwgwrsnimbq8kqr7injd65ncsr8a4lrmgyfv185ma4z8d"))))
>
> I trust these commits correspond to these CVEs.
Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
ol' annotated patch files instead.
Fetching the patches like this is too opaque. There's no *easy* way to
view the patches or figure out where they came from. The upstream
commits don't mention the CVE ID, and every interested person has to
re-do the work of corrolating the patch with the ID'd bug.
In practice, I think this extra works means that nobody will ever review
the patches or check that they correspond to a particular bug. Making
that easy is worth the extra bytes in our source tree.
Also I'm not confident that it will be easy to find bit-reproducible
patches in the future, whereas I think it will be easy to find the QEMU
tarballs and the patches from our Git repo.
signature.asc
Description: PGP signature
--- End Message ---