Re: What is Fedora?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 6/23/23 15:20, Michael Catanzaro wrote:
> On Fri, Jun 23 2023 at 01:27:24 PM -0400, Josh Boyer 
> <jwboyer@xxxxxxxxxxxxxxxxx> wrote:
>> Which means equivalent fixes are in CentOS Stream and anyone wanting
>> to recreate exactly what is in RHEL is welcome to backport that code
>> from CentOS Stream or upstream.
> 
> Yes, but that's going to be pretty hard to do if you cannot see what 
> needs to be backported because you don't have a Customer Portal 
> subscription. :)
> 
> In this particular case, there are two CVEs fixed somewhere in the 
> middle of maybe 100 other upstream changes, and the correspondence 
> between CVE vs. upstream commit is intentionally not public to 
> discourage distros from backporting individual security fixes. (It's 
> not a smart idea. Only 5% of WebKit security bugs get CVEs. I sometimes 
> do security backports for RHEL anyway for regulatory rather than 
> security reasons.) Anyway, to figure out what to backport in order to 
> match what's in RHEL, you'd have to either somehow get access to the 
> RHEL SRPM, or else email me and ask what to do.
> 
> I don't really have any strong opinion about this change. Just pointing 
> out that it's going to be effectively impossible to reverse-engineer 
> RHEL from CentOS Stream. Let's not pretend that's realistic. Rebuilders 
> are going to need to get copies of the RHEL SRPMs somehow if they want 
> to match RHEL, and they do.

For WebKit specifically, my recommendation is to just take the latest
version from upstream, since anything else will be missing critical
security patches.  I would be highly surprised if Red Hat has
patches that add any significant value there.  This is even more
true for Firefox, since Firefox is a leaf package.

For upstreams as complex, fast-moving, and exposed as browser engines,
trying to backport fixes is a fool’s errand.  Just take what upstream
provides and ship it.  If one needs patches for legal reasons, upstream
those and ship the result.  And yes, in the case of Chromium that does
mean using a clang binary built from the same sources as the one Google
provides.  Every hour needed to ship a patch is one hour the attackers
have to write and deploy an exploit.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux