On 12/07/2015 11:49 PM, Anders Darander wrote: > Hi, > > * Armin Kuster <akuster...@gmail.com> [151208 02:49]: > >> meta/recipes-connectivity/openssl/openssl_1.0.2d.bb | 4 ++++ >> 1 file changed, 4 insertions(+) > > I'm just a little curious about this serious, and a few others that I've > seen recently. They all add a number of CVE-patches, with one commit per > patch, and as the last commit, they all get added to SRC_URI in a single > patch. > > What's the reason to do it like this? i
Each CVE patch can be leveraged independently so back porting to other branches is simpler and less work. The recipe file is where merge conflicts will occur. Not all CVE's are weighted the same so someone who has a product in the field can easily cherry pick the CVE's they want or need. This was talked about on IRC a few weeks ago. > > I'd personally prefer to have each CVE-path also add the patch to > SRC_URI, as that make cherry-picking more straightforward. And it also > ensures that if we have a need to bisect some issue, that'll work. At > the same time that will make the meta-data consistent, i.e. no dead > patches. > > I'd personally even prefer that whole series squashed to one commit, > compared to this adding a lot of un-applied patches. That would add more overhead to the work I do internally as I need them in the format you have seen here. Are this patches not in the preferred method as described on wiki? Regards, - armin > Any comments on this? > > Cheers, > Anders > >> diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb >> b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb >> index fd56841..3864e88 100644 >> --- a/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb >> +++ b/meta/recipes-connectivity/openssl/openssl_1.0.2d.bb >> @@ -37,6 +37,10 @@ SRC_URI += "file://configure-targets.patch \ >> file://crypto_use_bigint_in_x86-64_perl.patch \ >> file://openssl-1.0.2a-x32-asm.patch \ >> file://ptest_makefile_deps.patch \ >> + >> file://CVE-2015-3193-bn-asm-x86_64-mont5.pl-fix-carry-propagating-bug-CVE.patch >> \ >> + file://CVE-2015-3194-1-Add-PSS-parameter-check.patch \ >> + file://0001-Add-test-for-CVE-2015-3194.patch \ >> + file://CVE-2015-3195-Fix-leak-with-ASN.1-combine.patch \ >> " > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
