Re: [PATCH-for-4.2? 0/1] roms/edk2: update submodule to edk2-stable201911, fixing low severity CVEs - Philippe Mathieu-Daudé

From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Laszlo Ersek <lersek@redhat.com>, Dann Frazier <dannf@debian.org>
Cc: Prasad J Pandit <pjp@fedoraproject.org>,
	Serge Hallyn <serge.hallyn@ubuntu.com>,
	Michael Tokarev <mjt@tls.msk.ru>,
	QEMU Developers <qemu-devel@nongnu.org>,
	Steve Langasek <vorlon@debian.org>,
	Bruce Rogers <brogers@suse.com>,
	Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org>,
	Cole Robinson <crobinso@redhat.com>
Subject: Re: [PATCH-for-4.2? 0/1] roms/edk2: update submodule to edk2-stable201911, fixing low severity CVEs
Date: Fri, 6 Dec 2019 06:19:09 +0100	[thread overview]
Message-ID: <ac771e22-72ef-fb40-c1a0-9cb1f76ab351@redhat.com> (raw)
In-Reply-To: <CAP+75-W4hi7oU636CN9f8d1aqrasxBYywwY7gvcVVSh36jnpOw@mail.gmail.com>

On 11/29/19 1:36 PM, Philippe Mathieu-Daudé wrote:
> On Fri, Nov 29, 2019 at 1:10 PM Laszlo Ersek <lersek@redhat.com> wrote:
>> On 11/29/19 11:44, Philippe Mathieu-Daudé wrote:
>>> I had this commit ready for when the next EDK2 release were go out,
>>> which just happened: https://edk2.groups.io/g/devel/message/51502
>>>
>>> Laszlo doesn't think it's worth the churn to rush to get this update
>>> into into 4.2-rc4: https://bugs.launchpad.net/qemu/+bug/1852196/comments/2
>>>
>>> I agree with Laszlo, users shouldn't use the EDK2 bundled within QEMU
>>> in production, and should rather build it from source. However some
>>> distributions seem to rely on this convenience way to package EDK2,
>>> and few CVEs are fixed in this new release. So it might be worthwhile
>>> to get this into 4.2-rc4. Anyhow distributions don't use QEMU stable
>>> tag directly and backport patches, so if there is no other rc4 patch,
>>> we could skip this for after 4.2, as Laszlo originally planned.

Since I was looking at the Debian packaging, I confirm

1/ Debian builds with -DNETWORK_HTTP_BOOT_ENABLE=TRUE 
-DSECURE_BOOT_ENABLE=TRUE:
https://salsa.debian.org/qemu-team/edk2/blob/debian/debian/rules#L32

2/ The CVE fixes were indeed backported:
https://salsa.debian.org/qemu-team/edk2/commit/e6630d57b

>>>
>>> Philippe Mathieu-Daudé (1):
>>>    roms/edk2: update submodule from edk2-stable201905 to
>>>      edk2-stable201911
>>>
>>>   roms/edk2 | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>
>> if we want to do this, then the above diffstat is not enough.
>>
>> - please evaluate whether we should do something like 9153b9d7401f
>> ("roms/Makefile.edk2: update input file list for
>> "pc-bios/edk2-licenses.txt"", 2019-06-14)
>>
>> - we need to rebuild the binaries: 3583cb29f28f ("pc-bios: refresh edk2
>> build artifacts for edk2-stable201905", 2019-06-14)
>>
>> - we should update the README file: 541617cad344 ("pc-bios: update the
>> README file with edk2-stable201905 information", 2019-06-14)
> 
> Oops sorry for missing all these points, I'll do them.
>