Re: [Qemu-devel] Should we have a 2.0-rc3 ?

[Michael S. Tsirkin]

On Sat, Apr 12, 2014 at 12:48:41PM +0400, Michael Tokarev wrote:
> 11.04.2014 21:37, Peter Maydell wrote:
> []
> > Patches on list but need review/ack and/or not sure whether to apply:
> >  * kvm_physical_sync_dirty_bitmap bug
> 
> Paolo proposed to revert the change which lead to that bug, but it
> seems wrong thing to do, since original code was clearly wrong.
> Maybe it is a good idea to apply Hallyn's version instead of mine
> (when done against the right tree), as it makes the code closer
> to the original version but more correct.
> 
> >  * vmxnet3 patches
> 
> I think this is not dangerous to go in before 2.0.  We wont have more
> testing even if it were applied much earlier, because this device is
> rather exotic in qemu world and isn't used often.  On the other hand,
> having less CVE IDs for a release is good, in my opinion.

The CVE in question deal with malicious state loading.
Even if we apply these specific ones we still have
a bunch of patches queued in Juan's tree and
pending review.

So either we declare that loading malicious state isn't safe
in 2.0, and address this class of issues for 2.1,
or try to address them all for 2.1.

Fixing just vmxnet3 seems kind of useless.

> > Raised as issues but no patches:
> >  * PCI bus naming
> >  * win64 virtio-scsi regression
> > 
> > Assistance welcomed in moving patches in the last two
> > categories into either "ready to apply" or "not for 2.0" :-)
> > 
> > thanks
> > -- PMM
> >