[Bug 2079784] Review Request: systemd-boot - UEFI boot manager

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=2079784



--- Comment #15 from Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> ---
> What about 'Provides:systemd-boot-signed(%{efi_arch)) = %version-%release' ?

Added:
+Provides: systemd-boot-signed-%{efi_arch} = %version-%release
and in the systemd pr:
+Provides: systemd-boot-unsigned-%{efi_arch} = %version-%release

I guess that using -%{efi_arch} has the advantage that (%{efi_arch}) could be
mistaken
and/or interfere with (%{_isa}).

--


> There's nothing in that post that refuted or even addresses any of my points above.

You wrote "it will by definition have different CVEs and different code", and
that post
and the rest of the thread discusses how systemd-boot and bootctl actually
share code. Even more
importantly, they share implementation logic (even if sometimes we need to have
two separate
implementations), so the same bugs could and in practice do affect both. The
rest of your
analysis is based on this flawed assumption.

> If three's a CVE that's against systemd it covers all of systemd and hence the CVE still applies to sd-boot even if the code is unaffected

I don't know what you're trying to say. CVEs generally apply to some specific
part of the code,
which means that (for a project like systemd that builds multiple binaries), it
applies to one
or more binaries. When analyzing a CVE, figuring out *where* it applies is
generally one of the
first steps. So we will know if the boot loader binaries can be affected, and
whether to
update them or not. Whether the packages are separate or not would only matter
if we were mechanically
creating an update for every CVE without any scope analysis.

> With a different repo it can release when it has new features/fixes

True.

> and be independent bumps which is especially useful for dealing with CVEs.

Actually we retain the ability to do independent bumps even with the split as
it
is implemented now.


-- 
You are receiving this mail because:
You are always notified about changes to this product and component
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2079784
_______________________________________________
package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite Conditions]     [KDE Users]

  Powered by Linux