[OE-core] [jethro][fido][PATCH 4/4] openssl: three CVE fixes

Anders Darander anders at chargestorm.se
Mon Dec 14 10:40:27 UTC 2015


* akuster808 <akuster808 at gmail.com> [151212 22:14]:
> On 12/07/2015 11:49 PM, Anders Darander wrote:
> > Hi,

> > * Armin Kuster <akuster808 at gmail.com> [151208 02:49]:

> >>  meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 4 ++++
> >>  1 file changed, 4 insertions(+)

> > I'm just a little curious about this serious, and a few others that I've
> > seen recently. They all add a number of CVE-patches, with one commit per
> > patch, and as the last commit, they all get added to SRC_URI in a single
> > patch.

> > What's the reason to do it like this? i

> Each CVE patch can be leveraged independently so back porting to other
> branches is simpler and less work.  The recipe file is  where merge
> conflicts will occur. Not all CVE's are weighted the same so someone who
> has a product in the field can easily cherry pick the CVE's they want or
> need. This was talked about on IRC a few weeks ago.

Well, you have the obviuos risk of backporting a fix, and assuming that
it gets applied.

The confligt will anyway appear on in the recipe, so there's no real
issue. Handling that conflict (which is easy to spot and solve) will
also ensure that you're aware of the fact that you have a difference
between your local branch and upstream. 

> > I'd personally prefer to have each CVE-path also add the patch to
> > SRC_URI, as that make cherry-picking more straightforward. And it also
> > ensures that if we have a need to bisect some issue, that'll work. At
> > the same time that will make the meta-data consistent, i.e. no dead
> > patches.

> > I'd personally even prefer that whole series squashed to one commit,
> > compared to this adding a lot of un-applied patches.

> That would add more overhead to the work I do internally as I need them
> in the format you have seen here.

Sure, I don̈́'t want the squashed patch either, but I want commit that
introduces a patch to also apply it.

> Are this patches not in the preferred method as described on wiki?

In my opinion, the patches should be applied by the commit adding them.
Otherwise, we've got commits that just adds dead weight to the
meta-data.  Just as we prefer a commit that removes a patch from SRC_URI
to also remove the actual patch itself.

Cheers,
Anders

-- 
Anders Darander, Senior System Architect
ChargeStorm AB / eStorm AB



More information about the Openembedded-core mailing list