From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) by sourceware.org (Postfix) with ESMTP id 1B5D43858C56; Sat, 27 Jan 2024 23:54:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1B5D43858C56 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1B5D43858C56 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=140.211.166.183 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706399698; cv=none; b=Xb8taQbgWDRkHg7BPwranGOnLTrT1owtF2wvW6kT0jdgvVrbO8CVrfjFiZsjIaZ2rCSOoQy2SpBwvCdYePlMxA6c8GH1wcUAUxP+2C9Ypkdr6VrTOQ+2aD+JYqTr/e74wCKFkb11GBLtpql7pVztAzJWqrmyRJC46H9NOFBrGc8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1706399698; c=relaxed/simple; bh=gQZxsOV9tyIlR03vNWOn4pv7gjbsEOpRS4kRrbn4JFY=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=L8xLvxQMi6gNhCxDjdP24wiR+JxHaxMtkYFbo4mWjxhk7YpyDWr+iIA8yVzXOOi0omJGAnF3GR+LOEJSmfHXtCfj16ndR6OEVV/Jwh6iwjd/GinzGFJz1S1gDV+TWxZKBZ3qLyo/UzdWj2QeOo8UcAQ3qNeiSgcr+NUy44n+qiQ= ARC-Authentication-Results: i=1; server2.sourceware.org From: "Andreas K. Huettel" To: libc-alpha@sourceware.org, Siddhesh Poyarekar Cc: carlos@redhat.com, adhemerval.zanella@linaro.org, fweimer@redhat.com Subject: Re: [PATCH v2] Update advisory format and introduce some automation Date: Sun, 28 Jan 2024 00:54:47 +0100 Message-ID: <1799412.TLkxdtWsSY@pinacolada> Organization: Gentoo Linux In-Reply-To: <20240124200204.137436-1-siddhesh@sourceware.org> References: <20240124195830.137143-1-siddhesh@sourceware.org> <20240124200204.137436-1-siddhesh@sourceware.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart9275221.rMLUfLXkoz"; micalg="pgp-sha512"; protocol="application/pgp-signature" X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --nextPart9275221.rMLUfLXkoz Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1"; protected-headers="v1" From: "Andreas K. Huettel" Date: Sun, 28 Jan 2024 00:54:47 +0100 Message-ID: <1799412.TLkxdtWsSY@pinacolada> Organization: Gentoo Linux In-Reply-To: <20240124200204.137436-1-siddhesh@sourceware.org> MIME-Version: 1.0 Am Mittwoch, 24. Januar 2024, 21:02:04 CET schrieb Siddhesh Poyarekar: > Simplify the advisory format by dropping the -Backport tags and instead > stick to using just the -Commit tags. To identify backports, put a > substring of git-describe into the release version in the brackets next > to the commit ref. This way, it not only identifies that the fix (or > regression) is on the release/2.YY/master branch, it also disambiguates > regressions/fixes in the branch from those in the tarball. >=20 > Add a README to make it easier for consumers to understand the format. > Additionally, the Release wiki needs to be updated to inform the release > manager to: >=20 > 1. Generate a NEWS snipped from the advisories directory >=20 > AND >=20 > 2. on release/2.YY/master, replace the advisories directory with a text > file pointing to the advisories directory in master so that we don't > have to update multiple locations. >=20 > Signed-off-by: Siddhesh Poyarekar > --- >=20 Some minor things below, otherwise good to go and Reviewed-by: Andreas K. H=FCttel > + > + Tag-name: (release-version) > + > +The indicates a specific commit in the repository. The > +release-version indicates the publicly consumable release in which this > +commit is known to exist. For a simple release-version, e.g. 2.34, this > +change is present in release tarballs. For release-version of the form > +2.34-NNN (e.g. 2.34-42), the change is on the release/2.34/master > +branch and not in any released tarball. Since this follows git-describe, I assume it means the 42th commit on the=20 branch after the tag... Why not write that here? > +Adding an Advisory > +------------------ > + > +An advisory for a CVE needs to be added in two steps: > + > +1.=20 On the master branch, ... > Add the text of the advisory without any Fix-Commit tags along with > + the fix for the CVE. Add the Vulnerable-Commit tag, if applicable. > + The advisories directory does not exist in=20 =2E.. release ... > branches, so keep the > + advisory text commit distinct from the code changes, to ease > + backports. Ask for the GLIBC-SA advisory number from the security > + team. > + > +2. Finish all backports=20 =2E.. on release branches ... > and then add all commits to the advisory=20 =2E.. on the master branch ... > using > + the Fix-Commit tags. Don't add the release-version subscript. > + > +3. Run the process-advisories.sh script in the scripts directory on the > + advisory: [...] > + > +advisories_news() { > + rel=3D$(get_rel "HEAD") > + for f in $(grep -l "^Fix-Commit: .* ($rel)$" advisories/*); do > + echo -e " $(basename $f):" > + cve_id=3D$(sed -n 's/CVE-Id: \(.*\)/\1/p' $f) ^ This assumes that every SA will ever have exactly one CVE. Is that a safe assumption? > + echo "$(head -1 $f) ($cve_id)" | fold -w 68 -s | > + while read line; do > + echo " $line" > + done > + echo > + done =2D-=20 Andreas K. H=FCttel dilfridge@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) --nextPart9275221.rMLUfLXkoz Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAABCgB9FiEE/Rnm0xsZLuTcY+rT3CsWIV7VQSoFAmW1l8dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZE MTlFNkQzMUIxOTJFRTREQzYzRUFEM0RDMkIxNjIxNUVENTQxMkEACgkQ3CsWIV7V QSrpMQ/5AYx61JurLc56/OeXs5aGzpDb2MjBWiugDJLB2dBWs68nrtJ6EklHdzOY Xxc5VYWdO/XS7N3YU2xA2+3Otb8ncXbkg5kVbV1LCjCI0CvbjNhcfkoeOea3jRRw w9Alwoy2uK7v1l6NbhnIo56fpp44BPImrp9s2NeaP3Wa/vN400sYjR1wD0ClHmft 2QIX9RSTbrfCcuTehK5R/Og5OTqun5DmlIB5esx/g4XkB31jraU3cSTm500XPT3W dY5MdJI8lg2orRBXNiKCclpe5w6GX2JEtTkPRD4NKaYDfm+1UizXhHxq+97u5sdO cqhF9L4JDd4cPP0YL75O5P2c308dLZrEV1FvTEykqXjI53wt5XIhzTquVJCAXCdk A/vyz3+DcoCeTLLvgRBcBKhmCJgkvjFru+36curBrj1nzywdodkdqILOJIvKqS4v rm5Snk8OsKg5DjuU6FqzqhsuGNJTVqrNelE0HXa92Fb/B/lBRJ2QVK5s7s8H3qK7 xIF1m6MDog8SUCwVIX3edXpYL9rfmm0a85dogggVt49IyCEzrYPzxWo2L/ir/k8Z fopRQ2d+YtpeVCTt8kcnQ0V0OZVpoYpUpcxKfdAS/yRwBWu2gZmHD5dkDgRPHTEo hothnoe9s2pRdnD/KfoImcMO+wgilEoaLq5dIvVknJpn1mf+2rw= =/GD3 -----END PGP SIGNATURE----- --nextPart9275221.rMLUfLXkoz--