On 6/23/23 15:20, Michael Catanzaro wrote: > On Fri, Jun 23 2023 at 01:27:24 PM -0400, Josh Boyer > <jwboyer@xxxxxxxxxxxxxxxxx> wrote: >> Which means equivalent fixes are in CentOS Stream and anyone wanting >> to recreate exactly what is in RHEL is welcome to backport that code >> from CentOS Stream or upstream. > > Yes, but that's going to be pretty hard to do if you cannot see what > needs to be backported because you don't have a Customer Portal > subscription. :) > > In this particular case, there are two CVEs fixed somewhere in the > middle of maybe 100 other upstream changes, and the correspondence > between CVE vs. upstream commit is intentionally not public to > discourage distros from backporting individual security fixes. (It's > not a smart idea. Only 5% of WebKit security bugs get CVEs. I sometimes > do security backports for RHEL anyway for regulatory rather than > security reasons.) Anyway, to figure out what to backport in order to > match what's in RHEL, you'd have to either somehow get access to the > RHEL SRPM, or else email me and ask what to do. > > I don't really have any strong opinion about this change. Just pointing > out that it's going to be effectively impossible to reverse-engineer > RHEL from CentOS Stream. Let's not pretend that's realistic. Rebuilders > are going to need to get copies of the RHEL SRPMs somehow if they want > to match RHEL, and they do. For WebKit specifically, my recommendation is to just take the latest version from upstream, since anything else will be missing critical security patches. I would be highly surprised if Red Hat has patches that add any significant value there. This is even more true for Firefox, since Firefox is a leaf package. For upstreams as complex, fast-moving, and exposed as browser engines, trying to backport fixes is a fool’s errand. Just take what upstream provides and ship it. If one needs patches for legal reasons, upstream those and ship the result. And yes, in the case of Chromium that does mean using a clang binary built from the same sources as the one Google provides. Every hour needed to ship a patch is one hour the attackers have to write and deploy an exploit. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
