Re: [Xen-devel] Difference between patch in XSA and patch checked in

[George Dunlap <george.dunlap@xxxxxxxxxx>]

On 08/24/2017 08:29 AM, Jan Beulich wrote:
>>>> On 23.08.17 at 18:35, <george.dunlap@xxxxxxxxxx> wrote:
>> Can I propose that committers should always check in the exact version
>> of the patch in the publicly-released advisory?  Preferably directly
>> from xsa.git, and with 'git am' (and not rebasing or modifying patches)?
> 
> As the presumably primary guilty one here, I'll try to remember to
> not make such changes going forward. 

Just to be clear, I wasn't trying to call anybody out; I was just trying
to share my experience. :-)  Thanks for making the effort.

> It is largely the adding of
> CVE numbers and tags to the patch which has turned out easier to
> do in a private copy of the patches (so they're ready to be applied
> without having to wait for / pull updates to xsa.git, the more that
> in less simple cases - which iirc XSA-218 was an example of - the
> automatic propagation of tags into the patches at public disclosure
> time doesn't always work [reliably]).

Is there a "timeliness" issue for checking patches into the tree?

> That's in particular how the format string differences have crept in
> that have caused you grief, as the way the diff-ing works is
> apparently quite different between the various possible tools to
> use. I do compare patches in such cases in order to make sure I
> don't commit any stale version, but the patch representation was
> so different that I apparently didn't notice the mixup in format
> strings.

It sounds like maybe we could use a tool that verified that the state of
the tree after applying patch A and the state of the tree after applying
patch B are identical.

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel