lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <69daa857-4dd0-730d-cebd-45c37cc5f66a@redhat.com>
Date:   Thu, 12 Mar 2020 15:57:41 +0100
From:   Hans de Goede <hdegoede@...hat.com>
To:     Borislav Petkov <bp@...en8.de>
Cc:     Arvind Sankar <nivedita@...m.mit.edu>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H . Peter Anvin" <hpa@...or.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4 2/2] x86/purgatory: Make sure we fail the build if
 purgatory.ro has missing symbols

Hi,

On 3/12/20 3:49 PM, Borislav Petkov wrote:
> On Thu, Mar 12, 2020 at 03:38:22PM +0100, Hans de Goede wrote:
>> So I've send out 2 versions, not 5 not 10, but only 2 versions in
>> the past 2 days and you start complaining about me rushing this and
>> not fixing it properly, to me that does not come across positive.
> 
> Maybe there's a misunderstanding: when you send a patchset which is not
> marked RFC, I read this, as, this patchset is ready for application. But
> then the 0day bot catches build errors which means, not ready yet.
> 
> And I believe you expected for the 0day bot to test the patches first
> and they should then to be considered for application. Yes, no?

I guess this is the root cause of our misunderstanding. I certainly
did not expect the 0day bot to catch any issues, because I did not
expect there to be any pre-existing issues.

As said I wrote the patch because my sha256 changes from a while ago
broke the purgatory because of introducing a missing symbol. My intend
was to avoid a repeat of that regression by catching issues like this
during build time.  I did not expect there to already be (more)
such issues in the existing code; and I certainly did not expect
there to be more then 1 such issue.

So having to do v4 to fix one pre-existing issue was a surprise.
Having to then do a v5 because there was more then one pre-existing
issue was an even bigger surprise.

I understand that you are pushing-back against people using 0day bot
to find bugs for them and that was never my goal.

OTOH I don't appreciate getting push-back because if my change
exposing *pre*-existing bugs. I am not responsible for those
pre-existing bugs and as such I also do not feel responsible for
0day bot triggering on them. Are the 0day bot reports and the need
to rev the patch-set and post a new version annoying? Yes they are;
however they are not my fault.

Regards,

Hans

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ