On Fri, Feb 21, 2025 at 11:06:54AM +0100, Christian Hesse wrote: > Daniel Kiper via Grub-devel <grub-devel@gnu.org> on Tue, 2025/02/18 19:00: > > I am posting all the GRUB2 upstream patches which fix all security bugs > > found and reported up until now. Major Linux distros carry or will carry > > soon one form or another of these patches. Now all the GRUB2 upstream > > patches are in the GRUB2 git repository [2] too. > > Let me investigate here... > > Most people do consider Arch Linux a major Linux distro, no? I do. > So it is expected that we do ship a grub package "soon" that will carry "one > form or another of these patches". > > Ok, what are these forms? > Let's see what we have: Current git master has 212 commits since the last > release, a whopping 73 of these being recent security fixes. That makes 139 > earlier commits randomly spread over the code base. > > First try: I started rebasing the 73 security commits on top of last release. > Even the very fist one had conflicts, so I gave up really soon with a really > huge amount of work still ahead. Is every package maintainer supposed to do > its own cherry-picking and backporting? IMHO this is not a viable "solution". > > Second try: There's nothing else, no? So we pushed a package built from git > master. Soon we realized that was suffering issues and pulled it from the > repository. > > Currently all Arch Linux users are left with a package of the last release - > without any fixes for the countless vulnerabilities. Wondering how other > distributions handle this. Any anybody shed some light on this? > > From my point of view as package maintainer I would like to see maintenance > branches, at least one for the most recent release. This should carry > important bug and security fixes. All distributions could base their packages > on that, and provide really stable packages to their users, reducing the > chance of random breakage. > The current situation is just insane.
I can understand your frustration but I am afraid we are not able to do much about it at this point. Sorry... We have problems with finding people doing security patches, forward porting, reviews, tests, etc. So, simply we do not have resources to maintain point releases either. Though if somebody wants step up and make it I am happy with that... Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
