xen: add security patches #25839
xen: add security patches #25839
Conversation
gentoo-bot
added
self-maintained
hydrapolic
changed the title
gentoo-bot
changed the title
gentoo-bot
added
self-maintained
Pull request CI reportReport generated at: 2022-06-09 20:20 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Pull request CI reportReport generated at: 2022-06-09 20:36 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
|
Thanks. I think we can drop xen-tools-4.15.0-disable-werror.patch from the gentoo-patches due to gentoo/app-emulation/xen-tools/xen-tools-4.16.0-r4.ebuild Lines 420 to 426 in de194ec and I also wonder if we shouldn't simply replace xen-tools-4.16.0-qemu-bridge.patch with a sed in |
|
Can one of you look at https://bugs.gentoo.org/845099 too please, while discussing Werror? |
Right now, my best idea would be to mimic what sys-firmware/ipxe is doing and set |
|
@hydrapolic friendly ping :) |
|
Sure, will do guys, just a bit busy with non-computer stuff. I'll also address https://xenbits.xen.org/xsa/advisory-404.html |
Closes: https://bugs.gentoo.org/845099 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Fixes: XSA-401,XSA-402,XSA-404 Bug: https://bugs.gentoo.org/850802 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Dropped xen-tools-4.15.0-disable-werror.patch for 4.16.1 |
Did for 4.16.1, now compiles with gcc-12. |
hydrapolic
changed the title
gentoo-bot
changed the title
Pull Request assignmentSubmitter: @hydrapolic app-emulation/xen: @hydrapolic, @gentoo/proxy-maint, @gentoo/xen Linked bugsIn order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
gentoo-bot
removed
the
assigned
gentoo-bot
added
self-maintained
Pull request CI reportReport generated at: 2022-06-28 11:24 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
There was a problem hiding this comment.
I get
echo "Name: Xenstat"; \
echo "Description: The Xenstat library for Xen hypervisor"; \
echo "Version: 4.16.0"; \
echo "Cflags: -I\${includedir} -I/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/include"; \
echo "Libs: -L\${libdir} -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/call -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/ctrl -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/devicemodel -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/evtchn -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/foreignmemory -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/gnttab -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/stat -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/store -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/toolcore -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/toollog -lxenstat"; \
echo "Libs.private: "; \
echo "Requires.private: xencontrol,xenstore"; \
} > /data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/pkg-config/xenstat.pc
swig -python -module xenstat -Iinclude -I. -outdir bindings/swig/python -o bindings/swig/python/_xenstat.c bindings/swig/xenstat.i
make[5]: *** No rule to make target 'include/xenstat.h', needed by 'bindings/swig/python/_xenstat.so'. Stop.
make[5]: *** Waiting for unfinished jobs....
mv headers.chk.new headers.chk
bindings/swig/xenstat.i:8: Error: Unable to find 'xenstat.h'
make[5]: *** [Makefile:63: bindings/swig/python/_xenstat.c] Error 1
make[5]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat'
make[4]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/../../tools/Rules.mk:166: subdir-all-stat] Error 2
make[4]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs'
make[3]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/../../tools/Rules.mk:161: subdirs-all] Error 2
make[3]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs'
make[2]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/../tools/Rules.mk:166: subdir-all-libs] Error 2
make[2]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools'
make[1]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/../tools/Rules.mk:161: subdirs-all] Error 2
make[1]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools'
make: *** [Makefile:63: build-tools] Error 2
* ERROR: app-emulation/xen-tools-4.16.1::gentoo failed (compile phase):
when emerging this. Full build log at https://0x0.st/oSlA.log
| @@ -464,6 +464,11 @@ src_compile() { | |||
| append-flags -fno-strict-overflow | |||
| fi | |||
|
|
|||
| # bug #845099 | |||
| if use ipxe; then | |||
| export NO_WERROR=1 | |||
There was a problem hiding this comment.
| export NO_WERROR=1 | |
| local -x NO_WERROR=1 |
IIRC using local -x instead of export restricts the scope of the variable to the current bash function and all child processes spawned by it. Whereas with export it would also be visible in e.g., src_install.
This introduces a new approach to handle Xen patching and versioning. SECURITY_VER and OVMF_VER where dropped as those have not been used in a while. We now consume the upstream patches from a repository called xen-upstream-patches, which will ultimately be hosted by Gentoo infra (e.g. available under gitweb.gentoo.org). The Gentoo patchset now lives in a repository called xen-gentoo-patches, which will also be hosted on Gentoo infra. Furthermore we now follow upstreams versioning scheme. Previously we would sell Xen 4.16.2-pre, which is from the staging-4.16 branch containing security fixes, as Xen 4.16.1. To avoid confusion, we will label the Xen versions as such, and Xen 4.16.1 will what is tagged upstream as RELEASE-4.16.1 (+ the few Gentoo specific patches). Closes: https://bugs.gentoo.org/845099 Bug: https://bugs.gentoo.org/850802 Closes: gentoo#25839 Signed-off-by: Florian Schmaus <flow@gentoo.org>
This introduces a new approach to handle Xen patching and versioning. SECURITY_VER and OVMF_VER where dropped as those have not been used in a while. We now consume the upstream patches from a repository called xen-upstream-patches, which will ultimately be hosted by Gentoo infra (e.g. available under gitweb.gentoo.org). The Gentoo patchset now lives in a repository called xen-gentoo-patches, which will also be hosted on Gentoo infra. Furthermore we now follow upstreams versioning scheme. Previously we would sell Xen 4.16.2-pre, which is from the staging-4.16 branch containing security fixes, as Xen 4.16.1. To avoid confusion, we will label the Xen versions as such, and Xen 4.16.1 will what is tagged upstream as RELEASE-4.16.1 (+ the few Gentoo specific patches). Closes: https://bugs.gentoo.org/845099 Bug: https://bugs.gentoo.org/850802 Closes: gentoo#25839 Signed-off-by: Florian Schmaus <flow@gentoo.org>
Bug: https://bugs.gentoo.org/850802 Signed-off-by: Florian Schmaus <flow@gentoo.org> Closes: #26217 Closes: #25839
4.15.2 boot tested on amd64
4.16.1 compile tested on ~amd64 with gcc-12