Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Alexander Kanavin]

On Thu, 28 Mar 2019 at 13:03, Chen Qi <Qi.Chen@windriver.com> wrote:
> Setting PV to "2.32.0" results in cve checking tools failing to
> report the actual unfixed CVEs. We need to change it to "2.32".
> After the change, when `bitbake -c cve_check binutils-native', we have:

I sent a related patch yesterday:
http://lists.openembedded.org/pipermail/openembedded-core/2019-March/280511.html

The problem with setting PV properly, is that 2.32 is less than 2.32.0
and will cause the 'version going backwards' problem. But if RP/Khem
are fine with it, I would prefer your patch.

Alex

[PATCH 0/1] binutils: fix PV to respect upstream tag and also cve database

[Chen Qi]

*** BLURB HERE ***
The following changes since commit 35742c10f531ba451c06a4e360fecfb55f358b35:

  ref-manual: Removed DISK_DESCRIPTION variable from glossary (2019-03-26 15:38:56 +0000)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib ChenQi/binutils-pv
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/binutils-pv

Chen Qi (1):
  binutils: fix PV to respect upstream tag and also cve database

 meta/recipes-devtools/binutils/binutils-2.32.inc | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

-- 
1.9.1

[PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Chen Qi]

Setting PV to "2.32.0" results in cve checking tools failing to
report the actual unfixed CVEs. We need to change it to "2.32".
After the change, when `bitbake -c cve_check binutils-native', we have:

  binutils-native-2.32-r0 do_cve_check: Found unpatched CVE (CVE-2018-1000876 CVE-2019-9070 CVE-2019-9071 CVE-2019-9072 CVE-2019-9073 CVE-2019-9074 CVE-2019-9075 CVE-2019-9076 CVE-2019-9077)

Checking the upstream repo, it has tags like:
binutils-2_29
binutils-2_29_1
binutils-2_29_1.1
binutils-2_30
binutils-2_31
binutils-2_31_1
binutils-2_32

So we'd better respect both upstream tags and cve database and use '2.32'.
If binutils 2.32.1 is released some day, we then change the PV to '2.32.1'.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/recipes-devtools/binutils/binutils-2.32.inc | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/meta/recipes-devtools/binutils/binutils-2.32.inc b/meta/recipes-devtools/binutils/binutils-2.32.inc
index 7423986..b728c4e 100644
--- a/meta/recipes-devtools/binutils/binutils-2.32.inc
+++ b/meta/recipes-devtools/binutils/binutils-2.32.inc
@@ -10,13 +10,7 @@ LIC_FILES_CHKSUM="\
     file://bfd/COPYING;md5=d32239bcb673463ab874e80d47fae504\
     "
 
-def binutils_branch_version(d):
-    pvsplit = d.getVar('PV').split('.')
-    return pvsplit[0] + "_" + pvsplit[1]
-
-PV = "2.32.0"
-BINUPV = "${@binutils_branch_version(d)}"
-#BRANCH = "binutils-${BINUPV}-branch"
+PV = "2.32"
 BRANCH ?= "binutils-2_32-branch"
 
 UPSTREAM_CHECK_GITTAGREGEX = "binutils-(?P<pver>\d+_(\d_?)*)"
-- 
1.9.1

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Burton, Ross]

On Thu, 28 Mar 2019 at 12:07, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
> The problem with setting PV properly, is that 2.32 is less than 2.32.0
> and will cause the 'version going backwards' problem. But if RP/Khem
> are fine with it, I would prefer your patch.

I just had a look at the code in bitbake and yes, it actually even
tests that 1 < 1.0.  I'd say that there's an argument for handling .0
releases specially and considering 2.32 == 2.32.0.

Ross

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Burton, Ross]

On Thu, 28 Mar 2019 at 13:15, Burton, Ross <ross.burton@intel.com> wrote:
> On Thu, 28 Mar 2019 at 12:07, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
> > The problem with setting PV properly, is that 2.32 is less than 2.32.0
> > and will cause the 'version going backwards' problem. But if RP/Khem
> > are fine with it, I would prefer your patch.
>
> I just had a look at the code in bitbake and yes, it actually even
> tests that 1 < 1.0.  I'd say that there's an argument for handling .0
> releases specially and considering 2.32 == 2.32.0.

Of course that test exists for people using feeds, and at least dpkg
thinks 2.32 < 2.32.0, so even if we changed the test the feed would
still be broken.

Ross

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 885 bytes --]

On Thu, Mar 28, 2019 at 01:17:11PM +0000, Burton, Ross wrote:
> On Thu, 28 Mar 2019 at 13:15, Burton, Ross <ross.burton@intel.com> wrote:
> > On Thu, 28 Mar 2019 at 12:07, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
> > > The problem with setting PV properly, is that 2.32 is less than 2.32.0
> > > and will cause the 'version going backwards' problem. But if RP/Khem
> > > are fine with it, I would prefer your patch.
> >
> > I just had a look at the code in bitbake and yes, it actually even
> > tests that 1 < 1.0.  I'd say that there's an argument for handling .0
> > releases specially and considering 2.32 == 2.32.0.
> 
> Of course that test exists for people using feeds, and at least dpkg
> thinks 2.32 < 2.32.0, so even if we changed the test the feed would
> still be broken.

Breaking feeds on purpose is bad, so this is a case to pump PE?

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Burton, Ross]

On Thu, 28 Mar 2019 at 13:47, Tom Rini <trini@konsulko.com> wrote:
> > > I just had a look at the code in bitbake and yes, it actually even
> > > tests that 1 < 1.0.  I'd say that there's an argument for handling .0
> > > releases specially and considering 2.32 == 2.32.0.
> >
> > Of course that test exists for people using feeds, and at least dpkg
> > thinks 2.32 < 2.32.0, so even if we changed the test the feed would
> > still be broken.
>
> Breaking feeds on purpose is bad, so this is a case to pump PE?

Bumping PE is even worse as a PE never goes away.  I say we leave it
as it is, and ask upstream nicely if they'll match the tag/version in
the future.

The CVE problem can be resolved by setting CVE_VERSION.

Ross

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Alexander Kanavin]

On Thu, 28 Mar 2019 at 14:51, Burton, Ross <ross.burton@intel.com> wrote:

> Bumping PE is even worse as a PE never goes away.  I say we leave it
> as it is, and ask upstream nicely if they'll match the tag/version in
> the future.

The tag and version upstream are both 2.32. It's Khem who declared PV
to be 2.32.0 :)

Alex

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 740 bytes --]

On Thu, Mar 28, 2019 at 03:08:00PM +0100, Alexander Kanavin wrote:
> On Thu, 28 Mar 2019 at 14:51, Burton, Ross <ross.burton@intel.com> wrote:
> 
> > Bumping PE is even worse as a PE never goes away.  I say we leave it
> > as it is, and ask upstream nicely if they'll match the tag/version in
> > the future.
> 
> The tag and version upstream are both 2.32. It's Khem who declared PV
> to be 2.32.0 :)

Bumping PE is what this is for too, to not break package feeds after
we've done something wrong in PV.  So lets bump PE and not break feeds.
Especially since this is so that CVE check starts to see and correctly
complain about issues that will result in "lets move this from master to
..." and so break feeds.

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Burton, Ross]

On Thu, 28 Mar 2019 at 14:08, Alexander Kanavin <alex.kanavin@gmail.com> wrote:
> The tag and version upstream are both 2.32. It's Khem who declared PV
> to be 2.32.0 :)

Yes I noticed that after sending.  Let's ask Khem nicely to use the
right version. :)

Ross

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Burton, Ross]

On Thu, 28 Mar 2019 at 14:25, Tom Rini <trini@konsulko.com> wrote:
> Bumping PE is what this is for too, to not break package feeds after
> we've done something wrong in PV.  So lets bump PE and not break feeds.
> Especially since this is so that CVE check starts to see and correctly
> complain about issues that will result in "lets move this from master to
> ..." and so break feeds.

Bumping PE is a nuclear-armed hammer when setting CVE_VERSION="2.32"
is sufficient and will go away when we upgrade to 2.32.1 onwards.

Ross

Re: [PATCH 1/1] binutils: fix PV to respect upstream tag and also cve database

[Tom Rini]

[-- Attachment #1: Type: text/plain, Size: 682 bytes --]

On Thu, Mar 28, 2019 at 02:38:40PM +0000, Burton, Ross wrote:
> On Thu, 28 Mar 2019 at 14:25, Tom Rini <trini@konsulko.com> wrote:
> > Bumping PE is what this is for too, to not break package feeds after
> > we've done something wrong in PV.  So lets bump PE and not break feeds.
> > Especially since this is so that CVE check starts to see and correctly
> > complain about issues that will result in "lets move this from master to
> > ..." and so break feeds.
> 
> Bumping PE is a nuclear-armed hammer when setting CVE_VERSION="2.32"
> is sufficient and will go away when we upgrade to 2.32.1 onwards.

So long as we don't break package feeds, OK.  Thanks!

-- 
Tom

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 836 bytes --]