Daniel Kiper via Grub-devel <grub-devel@gnu.org> on Tue, 2025/02/18 19:00: > I am posting all the GRUB2 upstream patches which fix all security bugs > found and reported up until now. Major Linux distros carry or will carry > soon one form or another of these patches. Now all the GRUB2 upstream > patches are in the GRUB2 git repository [2] too.
Let me investigate here...
Most people do consider Arch Linux a major Linux distro, no? I do.
So it is expected that we do ship a grub package "soon" that will carry "one
form or another of these patches".
Ok, what are these forms?
Let's see what we have: Current git master has 212 commits since the last
release, a whopping 73 of these being recent security fixes. That makes 139
earlier commits randomly spread over the code base.
First try: I started rebasing the 73 security commits on top of last release.
Even the very fist one had conflicts, so I gave up really soon with a really
huge amount of work still ahead. Is every package maintainer supposed to do
its own cherry-picking and backporting? IMHO this is not a viable "solution".
Second try: There's nothing else, no? So we pushed a package built from git
master. Soon we realized that was suffering issues and pulled it from the
repository.
Currently all Arch Linux users are left with a package of the last release -
without any fixes for the countless vulnerabilities. Wondering how other
distributions handle this. Any anybody shed some light on this?
From my point of view as package maintainer I would like to see maintenance
branches, at least one for the most recent release. This should carry
important bug and security fixes. All distributions could base their packages
on that, and provide really stable packages to their users, reducing the
chance of random breakage.
The current situation is just insane.
Well, one of my issues is fixed and will hopefully be committed to master
seen. I can not reproduce the other one - for what ever reason. Guess we will
soon push another git package to our users. Holding thumbs...
Thanks for listening and have a nice day!
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
pgpwgpX4q27VE.pgp
Description: OpenPGP digital signature
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
