Re: [edk2-devel] pixiefail

2024-01-24 Thread Gerd Hoffmann
On Wed, Jan 24, 2024 at 07:20:34AM -0800, Vincent Zimmer wrote: > I agree on your sentiment about Bugzilla (bz) not being ideal for this. > This space has been a multi-year journey from usrt-based tickets, bespoke > advisories, bz, etc into today's world of tianocore infosec, tianocore as > its own

Re: [edk2-devel] pixiefail

2024-01-24 Thread Laszlo Ersek
On 1/24/24 16:20, Vincent Zimmer wrote: > I agree on your sentiment about Bugzilla (bz) not being ideal for this. > This space has been a multi-year journey from usrt-based tickets, > bespoke advisories, bz, etc into today's world of tianocore infosec, > tianocore as its own CVE Naming Authority (C

Re: [edk2-devel] pixiefail

2024-01-24 Thread vincent zimmer
I agree on your sentiment about Bugzilla (bz) not being ideal for this. This space has been a multi-year journey from usrt-based tickets, bespoke advisories, bz, etc into today's world of tianocore infosec, tianocore as its own CVE Naming Authority (CNA) and working to leverage the extant features

Re: [edk2-devel] pixiefail

2024-01-24 Thread Laszlo Ersek
On 1/24/24 15:35, Laszlo Ersek wrote: > I figure the most flexible approach for those that dislike email-based > review for embargoed patches would be if github.com supported locked > down *PRs* (i.e., not private organizatons). In other words, if those > PRs would be submitted against the same ba

Re: [edk2-devel] pixiefail

2024-01-24 Thread Laszlo Ersek
On 1/23/24 19:49, Doug Flick via groups.io wrote: > Gerd, > > As a new EDK2 developer, I'm working through getting the patches up > to EDK2 but I have to follow the EDK2 patch process which is not the > fastest thing to follow and also not my day job. If you want to see > where I am you can look a

Re: [edk2-devel] pixiefail

2024-01-23 Thread Doug Flick via groups.io
Gerd, As a new EDK2 developer, I'm working through getting the patches up to EDK2 but I have to follow the EDK2 patch process which is not the fastest thing to follow and also not my day job. If you want to see where I am you can look at the CI Pipeline. The patches were reviewed during the GHS

[edk2-devel] pixiefail

2024-01-23 Thread Gerd Hoffmann
Hi, What is the state of affairs wrt. the pixiefail vulnerabilities? The advisory is published (https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h), it says the plan is to have the fixes included in the next (Feb 2024) stable tag. I see bugzilla has patches attached, mos