From: Siddhesh Poyarekar <siddhesh@sourceware.org>
To: "Andreas K. Huettel" <dilfridge@gentoo.org>, libc-alpha@sourceware.org
Cc: carlos@redhat.com, adhemerval.zanella@linaro.org, fweimer@redhat.com
Subject: Re: [PATCH v2] Update advisory format and introduce some automation
Date: Mon, 29 Jan 2024 08:55:53 -0500 [thread overview]
Message-ID: <274eab97-9ddb-4471-8ec6-e0d65945d646@sourceware.org> (raw)
In-Reply-To: <1799412.TLkxdtWsSY@pinacolada>
On 2024-01-27 18:54, Andreas K. Huettel wrote:
> Am Mittwoch, 24. Januar 2024, 21:02:04 CET schrieb Siddhesh Poyarekar:
>> Simplify the advisory format by dropping the -Backport tags and instead
>> stick to using just the -Commit tags. To identify backports, put a
>> substring of git-describe into the release version in the brackets next
>> to the commit ref. This way, it not only identifies that the fix (or
>> regression) is on the release/2.YY/master branch, it also disambiguates
>> regressions/fixes in the branch from those in the tarball.
>>
>> Add a README to make it easier for consumers to understand the format.
>> Additionally, the Release wiki needs to be updated to inform the release
>> manager to:
>>
>> 1. Generate a NEWS snipped from the advisories directory
>>
>> AND
>>
>> 2. on release/2.YY/master, replace the advisories directory with a text
>> file pointing to the advisories directory in master so that we don't
>> have to update multiple locations.
>>
>> Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
>> ---
>>
>
> Some minor things below, otherwise good to go and
>
> Reviewed-by: Andreas K. Hüttel <dilfridge@gentoo.org>
Thanks! I'm sending out a v3 with your suggested changes.
>
>
>> +
>> + Tag-name: <commit-ref> (release-version)
>> +
>> +The <commit-ref> indicates a specific commit in the repository. The
>> +release-version indicates the publicly consumable release in which this
>> +commit is known to exist. For a simple release-version, e.g. 2.34, this
>> +change is present in release tarballs. For release-version of the form
>> +2.34-NNN (e.g. 2.34-42), the change is on the release/2.34/master
>> +branch and not in any released tarball.
>
> Since this follows git-describe, I assume it means the 42th commit on the
> branch after the tag... Why not write that here?
Ack, will do.
>> +Adding an Advisory
>> +------------------
>> +
>> +An advisory for a CVE needs to be added in two steps:
>> +
>> +1.
>
> On the master branch, ...
OK.
>
>> Add the text of the advisory without any Fix-Commit tags along with
>> + the fix for the CVE. Add the Vulnerable-Commit tag, if applicable.
>> + The advisories directory does not exist in
>
> ... release ...
OK.
>> branches, so keep the
>> + advisory text commit distinct from the code changes, to ease
>> + backports. Ask for the GLIBC-SA advisory number from the security
>> + team.
>> +
>
>> +2. Finish all backports
>
> ... on release branches ...
OK.
>> and then add all commits to the advisory
>
> ... on the master branch ...
OK, I've reworded it a bit.
>> using
>> + the Fix-Commit tags. Don't add the release-version subscript.
>> +
>> +3. Run the process-advisories.sh script in the scripts directory on the
>> + advisory:
>
> [...]
>
>> +
>> +advisories_news() {
>> + rel=$(get_rel "HEAD")
>> + for f in $(grep -l "^Fix-Commit: .* ($rel)$" advisories/*); do
>> + echo -e " $(basename $f):"
>> + cve_id=$(sed -n 's/CVE-Id: \(.*\)/\1/p' $f)
>
> ^ This assumes that every SA will ever have exactly one CVE.
> Is that a safe assumption?
Yes, we'll maintain a 1:1 correspondence between GLIBC-SA- and CVE-.
>> + echo "$(head -1 $f) ($cve_id)" | fold -w 68 -s |
>> + while read line; do
>> + echo " $line"
>> + done
>> + echo
>> + done
Thanks,
Sid
next prev parent reply other threads:[~2024-01-29 13:56 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-24 19:58 [PATCH] " Siddhesh Poyarekar
2024-01-24 20:02 ` [PATCH v2] " Siddhesh Poyarekar
2024-01-27 23:54 ` Andreas K. Huettel
2024-01-29 13:55 ` Siddhesh Poyarekar [this message]
2024-01-28 0:10 ` Andreas K. Huettel
2024-01-29 13:56 ` Siddhesh Poyarekar
2024-01-29 13:56 ` [PATCH v3] " Siddhesh Poyarekar
2024-01-30 19:00 ` Siddhesh Poyarekar
2024-01-30 19:02 ` Andreas K. Huettel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=274eab97-9ddb-4471-8ec6-e0d65945d646@sourceware.org \
--to=siddhesh@sourceware.org \
--cc=adhemerval.zanella@linaro.org \
--cc=carlos@redhat.com \
--cc=dilfridge@gentoo.org \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).