[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#29232] [PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}. |
|
Date: |
Fri, 10 Nov 2017 22:42:21 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Hello,
Leo Famulari <address@hidden> skribis:
> Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
> ol' annotated patch files instead.
>
> Fetching the patches like this is too opaque. There's no *easy* way to
> view the patches or figure out where they came from. The upstream
> commits don't mention the CVE ID, and every interested person has to
> re-do the work of corrolating the patch with the ID'd bug.
>
> In practice, I think this extra works means that nobody will ever review
> the patches or check that they correspond to a particular bug. Making
> that easy is worth the extra bytes in our source tree.
True. I’m more inclined to skim over CVE patches that are inlined than
in this case.
> Also I'm not confident that it will be easy to find bit-reproducible
> patches in the future, whereas I think it will be easy to find the QEMU
> tarballs and the patches from our Git repo.
I’m a little bit more confident given that the Gitweb-generated patches
are merely raw commits, but I get your point.
Thanks!
Ludo’.