From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Woodrow Douglass via buildroot <buildroot@buildroot.org>
Cc: Woodrow Douglass <wdouglass@carnegierobotics.com>
Subject: Re: [Buildroot] [PATCH v3] package/chicken: security bump to 5.4.0
Date: Sat, 24 Aug 2024 09:07:53 +0200 [thread overview]
Message-ID: <20240824090753.551ad073@windsurf> (raw)
In-Reply-To: <20240821124414.8330-1-wdouglass@carnegierobotics.com>
On Wed, 21 Aug 2024 08:44:14 -0400
Woodrow Douglass via buildroot <buildroot@buildroot.org> wrote:
> This release includes a fix for CVE-2022-45145
>
> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
>
> --
> Changes v2 -> v3:
> - Add this changelog to commit message
> - Add Signed-off-by to commit message
>
> Changes v1 -> v2:
> - Update version numbers in hash file
>
> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com>
> ---
> package/chicken/chicken.hash | 4 ++--
> package/chicken/chicken.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
Sorry to be annoying, but this patch breaks the legal information for
this package:
>>> chicken 5.4.0 Patching
>>> chicken 5.4.0 Collecting legal info
ERROR: while checking hashes from package/chicken/chicken.hash
ERROR: LICENSE has wrong sha256 hash:
ERROR: expected: b434ac92e094214136a6b5032f0dc9da97f22cef084ac1d0131b02a09e2caa37
ERROR: got : c0ed699d5c4a8687f90a6488244f7f57d48a7f2d42bb7461b08a0d69a07d4f58
ERROR: Incomplete download, or man-in-the-middle (MITM) attack
make: *** [package/chicken/chicken.mk:46: chicken-legal-info] Error 1
So the hash of the license file needs to be updated *and* an
explanation about the changes in the license files must be added in the
commit log.
Also, please note that updating from 5.3.0 to 5.4.0 is OK as the
package is new in 2024.08, but as it fixes a security issue, we need to
have this fix in master, and therefore a more minimal update to 5.3.1
would have been preferable for master (and the update to 5.4.0 in our
next branch). But again, as this package is new, I think it is OK to
upgrade to 5.4.0 even in our master branch.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2024-08-24 7:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-19 12:26 [Buildroot] [PATCH 1/1] package/chicken: Update to 5.4.0 Woodrow Douglass via buildroot
2024-08-19 20:29 ` Thomas Petazzoni via buildroot
2024-08-20 11:32 ` Woody Douglass via buildroot
2024-08-20 11:40 ` [Buildroot] [PATCH] package/chicken: security bump " Woodrow Douglass via buildroot
2024-08-20 21:27 ` Thomas Petazzoni via buildroot
2024-08-21 12:40 ` Woody Douglass via buildroot
2024-08-21 12:44 ` [Buildroot] [PATCH v3] " Woodrow Douglass via buildroot
2024-08-24 7:07 ` Thomas Petazzoni via buildroot [this message]
2024-08-26 13:07 ` Woody Douglass via buildroot
2024-08-26 13:10 ` [Buildroot] [PATCH v4] " Woodrow Douglass via buildroot
2024-08-26 16:33 ` Thomas Petazzoni via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240824090753.551ad073@windsurf \
--to=buildroot@buildroot.org \
--cc=thomas.petazzoni@bootlin.com \
--cc=wdouglass@carnegierobotics.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox