GNU bug report logs -
#29232
[PATCH] gnu: qemu: Fix CVE-2017-{15038,15268,15289}.
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Thu, 9 Nov 2017 18:17:01 UTC
Severity: normal
Tags: patch
Done: Leo Famulari <leo <at> famulari.name>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
Hello,
Leo Famulari <leo <at> famulari.name> skribis:
> Okay, I pushed adf7e69cab6180ef75360a1c0731c93f4bff2b18, which uses good
> ol' annotated patch files instead.
>
> Fetching the patches like this is too opaque. There's no *easy* way to
> view the patches or figure out where they came from. The upstream
> commits don't mention the CVE ID, and every interested person has to
> re-do the work of corrolating the patch with the ID'd bug.
>
> In practice, I think this extra works means that nobody will ever review
> the patches or check that they correspond to a particular bug. Making
> that easy is worth the extra bytes in our source tree.
True. I’m more inclined to skim over CVE patches that are inlined than
in this case.
> Also I'm not confident that it will be easy to find bit-reproducible
> patches in the future, whereas I think it will be easy to find the QEMU
> tarballs and the patches from our Git repo.
I’m a little bit more confident given that the Gitweb-generated patches
are merely raw commits, but I get your point.
Thanks!
Ludo’.
This bug report was last modified 7 years and 272 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.