[yocto] : [meta]: [recipes-bsp]: u-boot: update commit id to the latest one of u-boot upstream
Tom Rini
trini at konsulko.com
Tue Jan 29 10:20:31 PST 2019
On Mon, Jan 28, 2019 at 06:20:02PM +0800, Meng.Li at windriver.com wrote:
> From: Limeng <Meng.Li at windriver.com>
>
> Hi Richard,
>
> Could you please help to merge this patch into meta/recipes-bsp/u-boot, branch is master?
>
> There are 2 CVE issues fixing in latest u-boot upstream, so
> update commit id to involve these fixing patches.
With my U-Boot maintainer hat on, NAK. While there are two CVEs that
have been addressed now (and present for a long while) I would say both:
- The issues themselves are not so catastrophic that you should move to
a pre-release (I haven't even tagged v2019.04-rc1 yet!) to get them
nor blindly back-port the changes. I intentionally didn't apply them
to the last release as I expected unintended consequences. Surprise!
There have been unintended consequences of those changes and I haven't
pulled in the changes for that just yet.
- Even once the patches to address the CVEs are addressed, I don't see
why you would move to "top of tree" rather than as is normal practice
backport the changes. Simon's fix here is a clear series in patchwork
(as well as git history) to apply as needed, if after evaluating the
CVEs it's something that you feel should be addressed in this way and
not with the workaround (telling U-Boot to load at most $X bytes).
Thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20190129/a7cd6f63/attachment.pgp>
More information about the yocto
mailing list