From patchwork Wed Sep 20 10:06:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Hieber X-Patchwork-Id: 30798 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2AFABCE79BB for ; Wed, 20 Sep 2023 10:07:06 +0000 (UTC) Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) by mx.groups.io with SMTP id smtpd.web11.34233.1695204416312614466 for ; Wed, 20 Sep 2023 03:06:57 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: pengutronix.de, ip: 185.203.201.7, mailfrom: rhi@pengutronix.de) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qiu6f-0007b5-Pm; Wed, 20 Sep 2023 12:06:53 +0200 Received: from [2a0a:edc0:0:1101:1d::ac] (helo=dude04.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qiu6f-007erA-5S; Wed, 20 Sep 2023 12:06:53 +0200 Received: from rhi by dude04.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1qiu6f-004MIi-0J; Wed, 20 Sep 2023 12:06:53 +0200 From: Roland Hieber To: docs@lists.yoctoproject.org Cc: yocto@pengutronix.de, Roland Hieber Subject: [PATCH 1/4] contributor-guide: recipe-style-guide: add section about CVE patches Date: Wed, 20 Sep 2023 12:06:44 +0200 Message-Id: <20230920100647.1038583-1-rhi@pengutronix.de> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: rhi@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: docs@lists.yoctoproject.org List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Sep 2023 10:07:06 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4265 This was previously included in the OpenEmbedded wiki page [1], but was not ported along with the rest in commit 95c9a1e1e78bbfb82ade (2023-09-12, Michael Opdenacker: "contributor-guide: recipe-style-guide: add Upstream-Status"). [1]: https://www.openembedded.org/index.php?title=Commit_Patch_Message_Guidelines&oldid=10935 Group the examples in their own sections. Signed-off-by: Roland Hieber --- This is basically v2 of "[PATCH] contributor-guide: add docs for Upstream-Status patch headers", Message-Id: <20230919111549.997443-2-rhi@pengutronix.de> rebased onto master-next, but since it looks so different now I made a new v1 patch out of it. .../contributor-guide/recipe-style-guide.rst | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst index 99105179a6b9..52ab4523c49f 100644 --- a/documentation/contributor-guide/recipe-style-guide.rst +++ b/documentation/contributor-guide/recipe-style-guide.rst @@ -321,7 +321,17 @@ the status should be changed to ``Submitted [where]``, and an additional ``Signed-off-by:`` line should be added to the patch by the person claiming responsibility for upstreaming. -For example, if the patch has been submitted upstream:: +CVE patches +----------- + +In order to have a better control of vulnerabilities, patches that fix CVEs must +contain a *"CVE:"* tag. This tag list all CVEs fixed by the patch. If more than +one CVE is fixed, separate them using spaces. + +Examples +-------- + +Here's an example of a patch that has been submitted upstream:: rpm: Adjusted the foo setting in bar @@ -336,3 +346,18 @@ For example, if the patch has been submitted upstream:: A future update can change the value to ``Accepted`` or ``Denied`` as appropriate. + +This should be the header of patch that fixes CVE-2015-8370 in GRUB2:: + + grub2: Fix CVE-2015-8370 + + [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1286966 + + Back to 28; Grub2 Authentication + + Two functions suffer from integer underflow fault; the grub_username_get() and grub_password_get()located in + grub-core/normal/auth.c and lib/crypto.c respectively. This can be exploited to obtain a Grub rescue shell. + + Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/grub.git/commit/?id=451d80e52d851432e109771bb8febafca7a5f1f2] + CVE: CVE-2015-8370 + Signed-off-by: Joe Developer From patchwork Wed Sep 20 10:06:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Hieber X-Patchwork-Id: 30799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A89CCE79BD for ; Wed, 20 Sep 2023 10:07:06 +0000 (UTC) Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) by mx.groups.io with SMTP id smtpd.web11.34234.1695204416480951001 for ; Wed, 20 Sep 2023 03:06:57 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: pengutronix.de, ip: 185.203.201.7, mailfrom: rhi@pengutronix.de) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qiu6f-0007b7-Pj; Wed, 20 Sep 2023 12:06:53 +0200 Received: from [2a0a:edc0:0:1101:1d::ac] (helo=dude04.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qiu6f-007erB-6g; Wed, 20 Sep 2023 12:06:53 +0200 Received: from rhi by dude04.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1qiu6f-004MIl-0M; Wed, 20 Sep 2023 12:06:53 +0200 From: Roland Hieber To: docs@lists.yoctoproject.org Cc: yocto@pengutronix.de, Roland Hieber Subject: [PATCH 2/4] contributor-guide: recipe-style-guide: add some more patch tagging examples Date: Wed, 20 Sep 2023 12:06:45 +0200 Message-Id: <20230920100647.1038583-2-rhi@pengutronix.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230920100647.1038583-1-rhi@pengutronix.de> References: <20230920100647.1038583-1-rhi@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: rhi@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: docs@lists.yoctoproject.org List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Sep 2023 10:07:06 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4266 Signed-off-by: Roland Hieber --- .../contributor-guide/recipe-style-guide.rst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst index 52ab4523c49f..4faadcd122d8 100644 --- a/documentation/contributor-guide/recipe-style-guide.rst +++ b/documentation/contributor-guide/recipe-style-guide.rst @@ -347,6 +347,22 @@ Here's an example of a patch that has been submitted upstream:: A future update can change the value to ``Accepted`` or ``Denied`` as appropriate. +Another example of a patch that is specific to OpenEmbedded:: + + Do not treat warnings as errors + + There are additional warnings found with musl which are + treated as errors and fails the build, we have more combinations + than upstream supports to handle. + + Upstream-Status: Inappropriate [oe specific] + +Here's a patch that has been backported from a pull request:: + + include missing sys/file.h for LOCK_EX + + Upstream-Status: Backport [https://github.com/systemd/systemd/pull/28651] + This should be the header of patch that fixes CVE-2015-8370 in GRUB2:: grub2: Fix CVE-2015-8370 From patchwork Wed Sep 20 10:06:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Hieber X-Patchwork-Id: 30800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2C2E7CE79B6 for ; Wed, 20 Sep 2023 10:07:06 +0000 (UTC) Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) by mx.groups.io with SMTP id smtpd.web10.34181.1695204415995599311 for ; Wed, 20 Sep 2023 03:06:56 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: pengutronix.de, ip: 185.203.201.7, mailfrom: rhi@pengutronix.de) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qiu6f-0007b6-Q3; Wed, 20 Sep 2023 12:06:53 +0200 Received: from [2a0a:edc0:0:1101:1d::ac] (helo=dude04.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qiu6f-007erC-6x; Wed, 20 Sep 2023 12:06:53 +0200 Received: from rhi by dude04.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1qiu6f-004MIp-0Q; Wed, 20 Sep 2023 12:06:53 +0200 From: Roland Hieber To: docs@lists.yoctoproject.org Cc: yocto@pengutronix.de, Roland Hieber , Alexander Kanavin Subject: [PATCH 3/4] contributor-guide: discourage marking patches as Inappropriate Date: Wed, 20 Sep 2023 12:06:46 +0200 Message-Id: <20230920100647.1038583-3-rhi@pengutronix.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230920100647.1038583-1-rhi@pengutronix.de> References: <20230920100647.1038583-1-rhi@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: rhi@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: docs@lists.yoctoproject.org List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Sep 2023 10:07:06 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4263 It was never really clear what all those reasons really meant, and every patch submitted upstream liftens the maintenance on the Yocto side. So remove the current list, and replace it with two reasons in which an upstream submission likely won't benefit the upstream project. Suggested-by: Alexander Kanavin Signed-off-by: Roland Hieber --- .../contributor-guide/recipe-style-guide.rst | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst index 4faadcd122d8..bc14c58a9759 100644 --- a/documentation/contributor-guide/recipe-style-guide.rst +++ b/documentation/contributor-guide/recipe-style-guide.rst @@ -299,22 +299,20 @@ following status strings: ``Inappropriate [reason]`` The patch is not appropriate for upstream, include a brief reason on the - same line enclosed with ``[]``. The reason can be: - - - ``not author`` (you are not the author and do not intend to upstream this, - the source must be listed in the comments) - - ``native`` - - ``licensing`` - - ``configuration`` - - ``enable feature`` - - ``disable feature`` - - ``bugfix`` (add bug URL here) - - ``embedded specific`` - - ``other`` (give details in comments) - -The various ``Inappropriate [reason]`` status items are meant to indicate that -the person responsible for adding this patch to the system does not intend to -upstream the patch for a specific reason. + same line enclosed with ``[]``. In the past, there were several different + reasons not to submit patches upstream, but we have to consider that every + non-upstreamed patch means a maintainance burden for recipe maintainers. + Currently, the only reasons to mark patches as inappropriate for upstream + submission are: + + - ``oe specific``: the issue is specific to how Yocto performs builds + or sets things up at runtime, and can be resolved only with a patch that + is not however relevant or appropriate for general upstream submission. + - ``upstream ticket ``: the issue is not Yocto-specific and should be + fixed upstream, but the patch in its current form is not suitable for + merging upstream, and the author lacks sufficient expertise to develope a + proper patch. Instead the issue is handled via a bug report (include + link). Of course, if another person later takes care of submitting this patch upstream, the status should be changed to ``Submitted [where]``, and an additional From patchwork Wed Sep 20 10:06:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roland Hieber X-Patchwork-Id: 30797 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29D4DCE79B9 for ; Wed, 20 Sep 2023 10:07:06 +0000 (UTC) Received: from metis.whiteo.stw.pengutronix.de (metis.whiteo.stw.pengutronix.de [185.203.201.7]) by mx.groups.io with SMTP id smtpd.web10.34183.1695204416680570314 for ; Wed, 20 Sep 2023 03:06:57 -0700 Authentication-Results: mx.groups.io; dkim=none (message not signed); spf=pass (domain: pengutronix.de, ip: 185.203.201.7, mailfrom: rhi@pengutronix.de) Received: from drehscheibe.grey.stw.pengutronix.de ([2a0a:edc0:0:c01:1d::a2]) by metis.whiteo.stw.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1qiu6f-0007b8-TT; Wed, 20 Sep 2023 12:06:54 +0200 Received: from [2a0a:edc0:0:1101:1d::ac] (helo=dude04.red.stw.pengutronix.de) by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1qiu6f-007erD-7m; Wed, 20 Sep 2023 12:06:53 +0200 Received: from rhi by dude04.red.stw.pengutronix.de with local (Exim 4.96) (envelope-from ) id 1qiu6f-004MIt-0T; Wed, 20 Sep 2023 12:06:53 +0200 From: Roland Hieber To: docs@lists.yoctoproject.org Cc: yocto@pengutronix.de, Roland Hieber , Michael Opdenacker Subject: [PATCH 4/4] contributor-guide: deprecate "Accepted" patch status Date: Wed, 20 Sep 2023 12:06:47 +0200 Message-Id: <20230920100647.1038583-4-rhi@pengutronix.de> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230920100647.1038583-1-rhi@pengutronix.de> References: <20230920100647.1038583-1-rhi@pengutronix.de> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 2a0a:edc0:0:c01:1d::a2 X-SA-Exim-Mail-From: rhi@pengutronix.de X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: docs@lists.yoctoproject.org List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 20 Sep 2023 10:07:06 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4264 This is in accordance with the Release Notes of the gatesgarth release: > In the ``Upstream-Status`` header convention for patches, > ``Accepted`` has | been replaced with ``Backport`` as these almost > always mean the same thing i.e. the patch is already upstream and > may need to be removed in a future recipe upgrade. If you are adding > these headers to your own patches then use Backport to indicate that > the patch has been sent upstream. Suggested-by: Michael Opdenacker Signed-off-by: Roland Hieber --- .../contributor-guide/recipe-style-guide.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/documentation/contributor-guide/recipe-style-guide.rst b/documentation/contributor-guide/recipe-style-guide.rst index bc14c58a9759..ab3b94f02e7e 100644 --- a/documentation/contributor-guide/recipe-style-guide.rst +++ b/documentation/contributor-guide/recipe-style-guide.rst @@ -277,13 +277,13 @@ following status strings: Submitted to upstream, waiting for approval. Optionally include where it was submitted, such as the author, mailing list, etc. -``Accepted`` - Accepted in upstream, expect it to be removed at next update, include - expected version info. +``Backport [version]`` + Accepted upstream and included in the next release, or backported from newer + upstream version, because we are at a fixed version. + Include upstream version info (e.g. commit ID or next expected version). -``Backport`` - Backported from new upstream version, because we are at a fixed version, - include upstream version info. + Note: historically, ``Accepted`` was another way to mark such patches, but + this status is now deprecated. ``Denied`` Not accepted by upstream, include reason in patch. @@ -342,7 +342,7 @@ Here's an example of a patch that has been submitted upstream:: Signed-off-by: Joe Developer -A future update can change the value to ``Accepted`` or ``Denied`` as +A future update can change the value to ``Backport`` or ``Denied`` as appropriate. Another example of a patch that is specific to OpenEmbedded::