[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Patches fail - why ?

Thank you, George -

Because the official patch isn't aimed at being applied on top of the
tarball; it's aimed at being applied to the staging branch, to make
sure that 4.10.2 is fixed properly.

Does it mean that patches are published against a not-yet-released
release ?

Fundamentally there are many different "pseudo-branches" to which a
patch might or might not apply:
1. The plain 4.10.1 release tarball
2. The 4.10.1 release tarball + all previous XSAs
3. The 4.10.1 release tarball + all previous XSAs + some set of fixes
backported from the staging branch
4. The staging-4.10 branch, which will eventually become 4.10.2

In this case, it sounds like you're doing #1; I *think* if you do #2
then t  he patch will apply in  this case. But in the general case, a
patch may only apply to one of those branches.

I'm doing #2, as this makes most sense to me.

A patch for #4 will always have to be done no matter what; so no
matter how many patches per release we generate, we'll always have to
prepare that one.

That's clear.

Every time a patch is ported it takes extra effort for the security
team -- we already release 6 versions of the security patch (4.6 -
4.10 + master).  If we created a separate patches for #2 (and #1),
then every single XSA patch would require 18 versions; and many XSAs
contain several patches.  That's just not sustainable.

I can see the trouble (I think).
On the other hand, I can't see the point in separate (out of git)
publishing of XSA patches other than #2 (vs. the stable, officially
patched release): #1 is out of consideration, #4 is in the git anyway
and #3 implies that the stable branch is never frozen by a release
(and always has to be taken from git - therefore the patches can stay
there as well, perhaps with some alert that a new version of the stable
branch has to be built for security reasons).
What is it that I miss ?

I see where you're coming from -- I also maintain the CentOS packages
and have to deal with the delta between the published patch and my
package as well.  It's a difficult issue that we're still wrestling

No - I don't maintain anything, I want to rely on the official source
package. That's why I am asking.

Thanks again,


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.