Hi all, The reason, why I'm asking especially like this, is that the problem is inside the bundled zlib library. The "official" solution for fixing (https://nvd.nist.gov/vuln/detail/CVE-2022-37434) is to update the bundled zlib (https://github.com/grpc/grpc/pull/31595) library, which shouldn't be done with easy patch, I guess.
So how to proceed with that? Regards, Andrej On Wed, 2023-01-11 at 21:24 -0500, Randy MacLeod via lists.openembedded.org wrote: > On 2023-01-11 13:27, Khem Raj via lists.openembedded.org wrote: > > On Wed, Jan 11, 2023 at 10:07 AM Steve Sakoman <[email protected]> > > wrote: > > > > > > Hi Andrej, > > > > > > I'm the maintainer for openembedded-core, and gRPC is in > > > meta-openmebedded. So this isn't my call to make. > > > > > > However we typically only take version bumps if they are > > > security/bug > > > fix only releases. So if this is the case, you can submit a patch. > > > But please be sure to include either release notes or change log so > > > the meta-openembedded maintainer can verify that it is suitable for > > > a > > > stable release. > > > > Thanks Steve, policy is same for all OE layers. I will wait for Armin > > ( Release Maintainer for meta-openembedded ) > > take the final call. > > > I vote for no update based on a quickish look. > > Armin, > > To save you some review, see the data below that indicates that there's > an appartly stable release maintenance scheme and > 1.50.x is > 1200 commits ahead and *likely* breaks ABI. > > Andrei, > > Is your CVE covered by any fixes on the stable release? > If not, best to get it merged upstream in addition to backporting > the fix as a patch in meta-oe. > > ../Randy > > > $ git clone https://github.com/grpc/grpc.git > $ cd gprc > > $ git log --oneline v1.45.2..v1.50.1 | wc -l > 1259 > > $ git diff v1.45.2..v1.50.1 | diffstat | tail -1 > 3763 files changed, 198007 insertions(+), 213762 deletions(-) > > $ git checkout v1.45.x > ... > > # oh, I forgot to show the stable branches: > $ git branch -a | rg v1.[45][0-9] > * v1.45.x > remotes/origin/v1.40.x > remotes/origin/v1.41.x > remotes/origin/v1.42.x > remotes/origin/v1.43.x > remotes/origin/v1.44.x > remotes/origin/v1.45.x > remotes/origin/v1.46.x > remotes/origin/v1.47.x > remotes/origin/v1.48.x > remotes/origin/v1.49.x > remotes/origin/v1.50.x > remotes/origin/v1.51.x > > > # What's not included in our 1.45.2? > $ git log --oneline v1.45.2... > 4af1fe173d (HEAD -> v1.45.x, origin/v1.45.x) xDS interop: resume > circuit_breaking test (#32038) (#32056) > 60863b633e [CPP] xDS interop GCE framework: pin grpcio-tools to use > protobuf 3.x (#31214) (#31221) > 0a1c8d3c5c xDS interop GCE framework: pin grpcio-tools to use protobuf > 3.x (#31191) (#31201) > 129dd25c33 xDS interop: buildscripts: fix run_test return status > (#30768) (#30879) > (#30735) (#30860) > d19a439577 xDS interop: Python LB tests build and use the python server > (#30637) (#30658) > (#30520) (#30532) > 12df388e8b xds interop: choose correct cluster in > grpc_xds_k8s_lb_python.sh (#30309) (#30332) > ea0f9b29f7 xds-k8s jobs: standardize TESTING_VERSION (#30027) (#30050) > 14afb3a3ea Disable layering check for Objective-C (#29375) > > > # When were those commits made? > $ git log v1.45.2... | rg Date: > Date: Tue Jan 10 13:35:42 2023 > Date: Mon Oct 3 15:23:06 2022 > Date: Mon Oct 3 13:35:02 2022 > Date: Thu Sep 8 16:57:24 2022 > Date: Tue Sep 6 20:47:18 2022 > Date: Fri Aug 19 17:22:21 2022 > Date: Mon Aug 8 21:33:59 2022 > Date: Tue Jul 19 17:31:09 2022 > Date: Fri Jun 17 18:37:56 2022 > Date: Tue Apr 19 14:45:30 2022 > > > so it looks like there's a stable branching strategy. > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#100580): https://lists.openembedded.org/g/openembedded-devel/message/100580 Mute This Topic: https://lists.openembedded.org/mt/96195679/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
