Hi Ben, thanks for the review.
On 05/03/2019 23:00, Ben Hutchings wrote:
> On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote:
>> Hi Ben,
>>
>> I have prepared an update for CVE-2018-5383/firmware-nonfree by backporting
>> the
>> fixed firmware from the upstream repo that I could find. See my two commits
>> in:
>>
>> https://salsa.debian.org/pochu/firmware-nonfree/commits/jessie-security
>>
>> I built the packages and compared one of the non-affected packages (qlogic)
>> and
>> only the changelog has changed. Comparing atheros, the two drivers are
>> updated,
>> and for intel some of the files are updated. However I see that for intel
>> there
>> are some drivers that we don't ship in that version of firmware-nonfree, e.g.
>> ibt-{17,18}-*. For those, I wonder if we should update and ship them. If
>> there's
>> any user with that hardware, they would need a firmware update I suppose.
>
> firmware-nonfree is meant to support the kernel version(s) shipped in
> the same suite, in the previous release, or in intermediate versions.
> So for jessie that's 3.2-4.9 inclusive. If one of those kernel
> versions may request the added files then they should be packaged.
> Otherwise it's not necessary - users installing a newer kernel package
> from another suite can get the firmware packages from there too.
Right, makes sense. I suppose that since the Intel ibt-{17,18}-* firmware is not
present in the stretch package, that we shouldn't add it here. So I limited this
to updating the firmware that was already present.
>> (It
>> may be unlikely for old suites to have users with new hardware, however it's
>> possible and users that don't have it will be unaffected by the new
>> firmware, so
>> it wouldn't hurt to ship it.)
>>
>> My branch is for jessie but I can prepare it for stretch too if you think
>> that's
>> worth it.
>
> The current jessie-security version of firmware-nonfree is really a
> backport from stretch. So I would prefer it if you update the stretch
> branch first and then merge that to jessie-security.
Ack. I updated stretch here:
https://salsa.debian.org/pochu/firmware-nonfree/commits/stretch
and created a MR:
https://salsa.debian.org/kernel-team/firmware-nonfree/merge_requests/6
If this looks fine I'd be happy to submit a pu bug for stable, and I'll also
look into an update for jessie.
Cheers,
Emilio
