On Thu, 18 Jan 2018, Julien Grall wrote:
> (+ Security team)
>
> Hi Stefano,
>
> On 17/01/18 21:47, Stefano Stabellini wrote:
> > On Wed, 17 Jan 2018, Stefano Stabellini wrote:
> > > On Wed, 17 Jan 2018, Lars Kurth wrote:
> > > > Regarding README.source, this is covering file and contain the
> > > > same mention as in the commit message. As this is a single function.
> > > > Isn't the commit message
> > > > enough?
> > > >
> > > >
> > > > From a legal viewpoint it is enough.
> > >
> > > If that is enough from a legal viewpoint, then it is enough for me.
> > >
> > > However, from a legal viewpoint, I thought we needed to explicitly
> > > mention all the original signed-off-bys because Julien is not actually
> > > the copyright holder for that function, hence, we need to add the
> > > signed-off-bys of all the missing copyright holders.
> >
> > Actually, reading again the Developer’s Certificate of Origin, it
> > states:
> >
> > "The contribution is based upon previous work that, to the best of my
> > knowledge, is covered under an appropriate open source license and I have
> > the right under that license to submit that work with modifications, whether
> > created in whole or in part by me, under the same open source license
> > (unless I am permitted to submit under a different license), as indicated in
> > the file"
> >
> > so I think Lars is right. In that case, there is no need to resubmit
> > this series, I'll commit to staging as is. If tests go well, I'll
> > backport it to the stable trees.
> Thank you! I have created branches with patches backported up to Xen 4.8. With
> minor changes:
>
> - Xen 4.10: No changes
> - Xen 4.9:
> * minor conflict in some files
> * compilation failure in cpuerrata.c (__virt_to_mfn does not exist)
> - Xen 4.8:
> * conflict in some files (one medium as the number of "features" is
> different)
> * compilation failure in cpuerrata.c (__virt_to_mfn does not exist)
>
> The branches can be found on xenbits [1] : xsa-254-sp2-X.XX where X.XX is the
> version of Xen.
>
> Xen 4.7 and earlier does not have cpufeature/cpuerrata infrastructure and will
> require backport. The only difficulty here should be finding the list of
> commits required.
>
> Also, we probably want to update the XSA pointing to the patches. So if
> someone wants to backport to Xen 4.7 (or earlier) they can. Any opinions?
Thank you, Julien. Ideally, I would like to do the backports after
OSSTest passes its tests on those changes. In practice, for the sake of
mitigating SP2 as soon as possible, tomorrow (Friday) I might do the
backports anyway, if OSSTest is still behind on other problems.
I don't think that backporting cpufeature/cpuerrata to 4.7 should be too
convoluted, I'll give that a go as well.
Once done, I'll provide the list of commits to the xen security list so
that the XSA advisory can be updated appropriately.
Cheers,
Stefano
> Cheers,
>
> [1] https://xenbits.xen.org/git-http/people/julieng/xen-unstable.git
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
