Message ID | 20240821124414.8330-1-wdouglass@carnegierobotics.com |
---|---|
State | Changes Requested |
Headers | show |
Series | [v3] package/chicken: security bump to 5.4.0 | expand |
On Wed, 21 Aug 2024 08:44:14 -0400 Woodrow Douglass via buildroot <buildroot@buildroot.org> wrote: > This release includes a fix for CVE-2022-45145 > > Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com> > > -- > Changes v2 -> v3: > - Add this changelog to commit message > - Add Signed-off-by to commit message > > Changes v1 -> v2: > - Update version numbers in hash file > > Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com> > --- > package/chicken/chicken.hash | 4 ++-- > package/chicken/chicken.mk | 2 +- > 2 files changed, 3 insertions(+), 3 deletions(-) Sorry to be annoying, but this patch breaks the legal information for this package: >>> chicken 5.4.0 Patching >>> chicken 5.4.0 Collecting legal info ERROR: while checking hashes from package/chicken/chicken.hash ERROR: LICENSE has wrong sha256 hash: ERROR: expected: b434ac92e094214136a6b5032f0dc9da97f22cef084ac1d0131b02a09e2caa37 ERROR: got : c0ed699d5c4a8687f90a6488244f7f57d48a7f2d42bb7461b08a0d69a07d4f58 ERROR: Incomplete download, or man-in-the-middle (MITM) attack make: *** [package/chicken/chicken.mk:46: chicken-legal-info] Error 1 So the hash of the license file needs to be updated *and* an explanation about the changes in the license files must be added in the commit log. Also, please note that updating from 5.3.0 to 5.4.0 is OK as the package is new in 2024.08, but as it fixes a security issue, we need to have this fix in master, and therefore a more minimal update to 5.3.1 would have been preferable for master (and the update to 5.4.0 in our next branch). But again, as this package is new, I think it is OK to upgrade to 5.4.0 even in our master branch. Thomas
On 8/24/24 03:07, Thomas Petazzoni wrote: > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender. > > > On Wed, 21 Aug 2024 08:44:14 -0400 > Woodrow Douglass via buildroot <buildroot@buildroot.org> wrote: > >> This release includes a fix for CVE-2022-45145 >> >> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com> >> >> -- >> Changes v2 -> v3: >> - Add this changelog to commit message >> - Add Signed-off-by to commit message >> >> Changes v1 -> v2: >> - Update version numbers in hash file >> >> Signed-off-by: Woodrow Douglass <wdouglass@carnegierobotics.com> >> --- >> package/chicken/chicken.hash | 4 ++-- >> package/chicken/chicken.mk | 2 +- >> 2 files changed, 3 insertions(+), 3 deletions(-) > Sorry to be annoying, but this patch breaks the legal information for Not annoying at all, it's my lack of diligence, I'm sorry. I'll add `make chicken-legal-info` to my list of things i do to test. > this package: > >>>> chicken 5.4.0 Patching >>>> chicken 5.4.0 Collecting legal info > ERROR: while checking hashes from package/chicken/chicken.hash > ERROR: LICENSE has wrong sha256 hash: > ERROR: expected: b434ac92e094214136a6b5032f0dc9da97f22cef084ac1d0131b02a09e2caa37 > ERROR: got : c0ed699d5c4a8687f90a6488244f7f57d48a7f2d42bb7461b08a0d69a07d4f58 > ERROR: Incomplete download, or man-in-the-middle (MITM) attack > make: *** [package/chicken/chicken.mk:46: chicken-legal-info] Error 1 > > So the hash of the license file needs to be updated *and* an > explanation about the changes in the license files must be added in the > commit log. > > Also, please note that updating from 5.3.0 to 5.4.0 is OK as the > package is new in 2024.08, but as it fixes a security issue, we need to > have this fix in master, and therefore a more minimal update to 5.3.1 > would have been preferable for master (and the update to 5.4.0 in our > next branch). But again, as this package is new, I think it is OK to > upgrade to 5.4.0 even in our master branch. > > Thomas > -- > Thomas Petazzoni, CTO, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com I'll send a revision of the patch soon Thanks, Woodrow Douglass
diff --git a/package/chicken/chicken.hash b/package/chicken/chicken.hash index 5a553da792..0a3b0b15ce 100644 --- a/package/chicken/chicken.hash +++ b/package/chicken/chicken.hash @@ -1,4 +1,4 @@ -# From https://code.call-cc.org/releases/5.3.0/chicken-5.3.0.tar.gz.sha256 -sha256 c3ad99d8f9e17ed810912ef981ac3b0c2e2f46fb0ecc033b5c3b6dca1bdb0d76 chicken-5.3.0.tar.gz +# From https://code.call-cc.org/releases/5.4.0/chicken-5.4.0.tar.gz.sha256 +sha256 3c5d4aa61c1167bf6d9bf9eaf891da7630ba9f5f3c15bf09515a7039bfcdec5f chicken-5.4.0.tar.gz # Locally computed sha256 b434ac92e094214136a6b5032f0dc9da97f22cef084ac1d0131b02a09e2caa37 LICENSE diff --git a/package/chicken/chicken.mk b/package/chicken/chicken.mk index 0000fc635e..ca5f756995 100644 --- a/package/chicken/chicken.mk +++ b/package/chicken/chicken.mk @@ -4,7 +4,7 @@ # ################################################################################ -CHICKEN_VERSION = 5.3.0 +CHICKEN_VERSION = 5.4.0 CHICKEN_SITE = https://code.call-cc.org/releases/$(CHICKEN_VERSION) CHICKEN_LICENSE = BSD-3-Clause CHICKEN_LICENSE_FILES = LICENSE