[OE-core] [jethro][fido][PATCH 4/4] openssl: three CVE fixes
Paul Eggleton
paul.eggleton at linux.intel.com
Sun Dec 13 19:32:31 UTC 2015
On Sat, 12 Dec 2015 13:14:52 akuster808 wrote:
> On 12/07/2015 11:49 PM, Anders Darander wrote:
> > Hi,
> >
> > * Armin Kuster <akuster808 at gmail.com> [151208 02:49]:
> >> meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 4 ++++
> >> 1 file changed, 4 insertions(+)
> >
> > I'm just a little curious about this serious, and a few others that I've
> > seen recently. They all add a number of CVE-patches, with one commit per
> > patch, and as the last commit, they all get added to SRC_URI in a single
> > patch.
> >
> > What's the reason to do it like this? i
>
> Each CVE patch can be leveraged independently so back porting to other
> branches is simpler and less work. The recipe file is where merge
> conflicts will occur. Not all CVE's are weighted the same so someone who
> has a product in the field can easily cherry pick the CVE's they want or
> need. This was talked about on IRC a few weeks ago.
Well, except they might cherry-pick the fix commit on the assumption that it
fixes the CVE, when unfortunately it doesn't because the included patch isn't
actually applied within the recipe in that commit.
I can see how this makes things slightly easier for backporting, but honestly
I don't like it. I don't believe it matches with our practice up to this point
either.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list