-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xen: add security patches #25839
xen: add security patches #25839
Conversation
Pull request CI reportReport generated at: 2022-06-09 20:20 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Pull request CI reportReport generated at: 2022-06-09 20:36 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
Thanks. I think we can drop xen-tools-4.15.0-disable-werror.patch from the gentoo-patches due to gentoo/app-emulation/xen-tools/xen-tools-4.16.0-r4.ebuild Lines 420 to 426 in de194ec
and I also wonder if we shouldn't simply replace xen-tools-4.16.0-qemu-bridge.patch with a sed in |
Can one of you look at https://bugs.gentoo.org/845099 too please, while discussing Werror? |
Right now, my best idea would be to mimic what sys-firmware/ipxe is doing and set |
@hydrapolic friendly ping :) |
Sure, will do guys, just a bit busy with non-computer stuff. I'll also address https://xenbits.xen.org/xsa/advisory-404.html |
Closes: https://bugs.gentoo.org/845099 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Fixes: XSA-401,XSA-402,XSA-404 Bug: https://bugs.gentoo.org/850802 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Dropped xen-tools-4.15.0-disable-werror.patch for 4.16.1 |
Did for 4.16.1, now compiles with gcc-12. |
Pull Request assignmentSubmitter: @hydrapolic app-emulation/xen: @hydrapolic, @gentoo/proxy-maint, @gentoo/xen Linked bugsIn order to force reassignment and/or bug reference scan, please append Docs: Code of Conduct ● Copyright policy (expl.) ● Devmanual ● GitHub PRs ● Proxy-maint guide |
Pull request CI reportReport generated at: 2022-06-28 11:24 UTC There are existing issues already. Please look into the report to make sure none of them affect the packages in question: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I get
echo "Name: Xenstat"; \
echo "Description: The Xenstat library for Xen hypervisor"; \
echo "Version: 4.16.0"; \
echo "Cflags: -I\${includedir} -I/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/include"; \
echo "Libs: -L\${libdir} -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/call -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/ctrl -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/devicemodel -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/evtchn -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/foreignmemory -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/gnttab -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/stat -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/store -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/toolcore -Wl,-rpath-link=/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat/../../../tools/libs/toollog -lxenstat"; \
echo "Libs.private: "; \
echo "Requires.private: xencontrol,xenstore"; \
} > /data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/pkg-config/xenstat.pc
swig -python -module xenstat -Iinclude -I. -outdir bindings/swig/python -o bindings/swig/python/_xenstat.c bindings/swig/xenstat.i
make[5]: *** No rule to make target 'include/xenstat.h', needed by 'bindings/swig/python/_xenstat.so'. Stop.
make[5]: *** Waiting for unfinished jobs....
mv headers.chk.new headers.chk
bindings/swig/xenstat.i:8: Error: Unable to find 'xenstat.h'
make[5]: *** [Makefile:63: bindings/swig/python/_xenstat.c] Error 1
make[5]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/stat'
make[4]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/../../tools/Rules.mk:166: subdir-all-stat] Error 2
make[4]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs'
make[3]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs/../../tools/Rules.mk:161: subdirs-all] Error 2
make[3]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/libs'
make[2]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/../tools/Rules.mk:166: subdir-all-libs] Error 2
make[2]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools'
make[1]: *** [/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools/../tools/Rules.mk:161: subdirs-all] Error 2
make[1]: Leaving directory '/data-scratch/var-tmp/portage/app-emulation/xen-tools-4.16.1/work/xen-4.16.1/tools'
make: *** [Makefile:63: build-tools] Error 2
* ERROR: app-emulation/xen-tools-4.16.1::gentoo failed (compile phase):
when emerging this. Full build log at https://0x0.st/oSlA.log
@@ -464,6 +464,11 @@ src_compile() { | |||
append-flags -fno-strict-overflow | |||
fi | |||
|
|||
# bug #845099 | |||
if use ipxe; then | |||
export NO_WERROR=1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export NO_WERROR=1 | |
local -x NO_WERROR=1 |
IIRC using local -x
instead of export
restricts the scope of the variable to the current bash function and all child processes spawned by it. Whereas with export
it would also be visible in e.g., src_install
.
This introduces a new approach to handle Xen patching and versioning. SECURITY_VER and OVMF_VER where dropped as those have not been used in a while. We now consume the upstream patches from a repository called xen-upstream-patches, which will ultimately be hosted by Gentoo infra (e.g. available under gitweb.gentoo.org). The Gentoo patchset now lives in a repository called xen-gentoo-patches, which will also be hosted on Gentoo infra. Furthermore we now follow upstreams versioning scheme. Previously we would sell Xen 4.16.2-pre, which is from the staging-4.16 branch containing security fixes, as Xen 4.16.1. To avoid confusion, we will label the Xen versions as such, and Xen 4.16.1 will what is tagged upstream as RELEASE-4.16.1 (+ the few Gentoo specific patches). Closes: https://bugs.gentoo.org/845099 Bug: https://bugs.gentoo.org/850802 Closes: gentoo#25839 Signed-off-by: Florian Schmaus <flow@gentoo.org>
This introduces a new approach to handle Xen patching and versioning. SECURITY_VER and OVMF_VER where dropped as those have not been used in a while. We now consume the upstream patches from a repository called xen-upstream-patches, which will ultimately be hosted by Gentoo infra (e.g. available under gitweb.gentoo.org). The Gentoo patchset now lives in a repository called xen-gentoo-patches, which will also be hosted on Gentoo infra. Furthermore we now follow upstreams versioning scheme. Previously we would sell Xen 4.16.2-pre, which is from the staging-4.16 branch containing security fixes, as Xen 4.16.1. To avoid confusion, we will label the Xen versions as such, and Xen 4.16.1 will what is tagged upstream as RELEASE-4.16.1 (+ the few Gentoo specific patches). Closes: https://bugs.gentoo.org/845099 Bug: https://bugs.gentoo.org/850802 Closes: gentoo#25839 Signed-off-by: Florian Schmaus <flow@gentoo.org>
Bug: https://bugs.gentoo.org/850802 Signed-off-by: Florian Schmaus <flow@gentoo.org> Closes: #26217 Closes: #25839
4.15.2 boot tested on amd64
4.16.1 compile tested on ~amd64 with gcc-12