[dunfell] git: Use CVE_CHECK_WHITELIST instead of CVE_CHECK_IGNORE

Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell
branch

Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
---
 meta/recipes-devtools/git/git.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Hi,

On Tue, May 17, 2022 at 04:45:00PM +0530, Ranjitsinh Rathod wrote:
> Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell
> branch

Good finding, thanks. I think it makes sence to support both CVE_CHECK_WHITELIST
and CVE_CHECK_IGNORE variables in dunfell as patches will be cherry-picked and
this issue may creep in again silently.

Other opinions?

Cheers,

-Mikko

> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com>
> ---
>  meta/recipes-devtools/git/git.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-devtools/git/git.inc b/meta/recipes-devtools/git/git.inc
> index 879920d97e..b5d0004712 100644
> --- a/meta/recipes-devtools/git/git.inc
> +++ b/meta/recipes-devtools/git/git.inc
> @@ -22,7 +22,7 @@ CVE_PRODUCT = "git-scm:git"
>  # This is about a manpage not mentioning --mirror may "leak" information
>  # in mirrored git repos. Most OE users wouldn't build the docs and
>  # we don't see this as a major issue for our general users/usecases.
> -CVE_CHECK_IGNORE += "CVE-2022-24975"
> +CVE_CHECK_WHITELIST += "CVE-2022-24975"
>  
>  PACKAGECONFIG ??= ""
>  PACKAGECONFIG[cvsserver] = ""
> -- 
> 2.17.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#165727): https://lists.openembedded.org/g/openembedded-core/message/165727
> Mute This Topic: https://lists.openembedded.org/mt/91160955/3616751
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mikko.rapeli@bmw.de]
> -=-=-=-=-=-=-=-=-=-=-=-
>

On Tue, 2022-05-17 at 11:41 +0000, Mikko Rapeli wrote:
> Hi,
> 
> On Tue, May 17, 2022 at 04:45:00PM +0530, Ranjitsinh Rathod wrote:
> > Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell
> > branch
> 
> Good finding, thanks. I think it makes sence to support both CVE_CHECK_WHITELIST
> and CVE_CHECK_IGNORE variables in dunfell as patches will be cherry-picked and
> this issue may creep in again silently.
> 
> Other opinions?

I wondered if we backport the BB_RENAMED_VARIABLES functionality to
older bitbakes but use it differently - have it error if the new names
are detected?

That way we solve this for the other variable names too.

Steve: Any thoughts?

Cheers,

Richard

On Tue, May 17, 2022 at 1:57 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2022-05-17 at 11:41 +0000, Mikko Rapeli wrote:
> > Hi,
> >
> > On Tue, May 17, 2022 at 04:45:00PM +0530, Ranjitsinh Rathod wrote:
> > > Use CVE_CHECK_WHITELIST as CVE_CHECK_IGNORE is not valid on dunfell
> > > branch
> >
> > Good finding, thanks. I think it makes sence to support both CVE_CHECK_WHITELIST
> > and CVE_CHECK_IGNORE variables in dunfell as patches will be cherry-picked and
> > this issue may creep in again silently.
> >
> > Other opinions?
>
> I wondered if we backport the BB_RENAMED_VARIABLES functionality to
> older bitbakes but use it differently - have it error if the new names
> are detected?
>
> That way we solve this for the other variable names too.
>
> Steve: Any thoughts?

First of all, sorry this slipped by me :-(

I support the approach of having bitbake error if the new names are
detected and would gladly take such a patch.

I think this is much better than having a mix of old and new variable
names in dunfell.

Steve