Re: [Xen-users] Patches fail - why ?

[George Dunlap <dunlapg@xxxxxxxxx>]

On Tue, Jun 5, 2018 at 8:20 AM, Jan Vejvalka
<jan.vejvalka@xxxxxxxxxxxxxxx> wrote:
> Thank you, Mark -
>
> - my question, however, remains: what do I do/assume wrong when I'm
> getting errors applying the official (?) patch set (XSA-263) on the
> official (?) source package (4.10.1).

Because the official patch isn't aimed at being applied on top of the
tarball; it's aimed at being applied to the staging branch, to make
sure that 4.10.2 is fixed properly.

Fundamentally there are many different "pseudo-branches" to which a
patch might or might not apply:
1. The plain 4.10.1 release tarball
2. The 4.10.1 release tarball + all previous XSAs
3. The 4.10.1 release tarball + all previous XSAs + some set of fixes
backported from the staging branch
4. The staging-4.10 branch, which will eventually become 4.10.2

In this case, it sounds like you're doing #1; I *think* if you do #2
then t  he patch will apply in  this case. But in the general case, a
patch may only apply to one of those branches.

A patch for #4 will always have to be done no matter what; so no
matter how many patches per release we generate, we'll always have to
prepare that one.

Every time a patch is ported it takes extra effort for the security
team -- we already release 6 versions of the security patch (4.6 -
4.10 + master).  If we created a separate patches for #2 (and #1),
then every single XSA patch would require 18 versions; and many XSAs
contain several patches.  That's just not sustainable.

I see where you're coming from -- I also maintain the CentOS packages
and have to deal with the delta between the published patch and my
package as well.  It's a difficult issue that we're still wrestling
with.

 -George

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-users