Correct SVN revision for latest security fix

George Mitchell george+freebsd at m5p.com
Thu Nov 14 20:03:05 UTC 2019 

On 2019-11-14 13:20, Gordon Tetlow wrote:
> [... a very good explanation of the final steps of the commit process ...]
> 3 is what we do currently. This has the drawback you cite above. If you
> checkout the revision cited, the patch level hasn't been revved at this
> point. What I can say though, if you are running a system that lists
> -p1, then you are guaranteed to have the patches that were part of -p1.
> 
> Between the options above, I'll pick option three.
> 
> Best regards,
> Gordon
> Hat: Security Officer
> 

There's nothing wrong with your process.  But these two lines of the
security announcement message seem to me to be contradictory in their
implications.  Taking 11.3-RELEASE as an example, the message started
by announcing that the problem is corrected in:

                2019-11-12 18:13:04 UTC (releng/11.3, 11.3-RELEASE-p5)

But then near the end, it says:

releng/11.3/                                                     r354653

So I dutifully updated to r354653, recompiled, and reinstalled.  Voilà!
uname -r told me "11.3-RELEASE-p4".  On all previous occasions, when I
updated to the SVN revision given in the email announcement, I would
get the version cited in the announcement, so I was surprised by the
discrepancy.

And since newvers.sh was committed at Nov 12 18:13:51 UTC, and the
security announcement was emailed at 12 Nov 2019 19:12:06 UTC, shouldn't
the announcement have referred to revision 354654?  When I updated to
that version, recompiled, and reinstalled, sure enough uname -r told me
"11.3-RELEASE-p5" as I expected in the first place.

354654 is also the correct revision for 12.0-RELEASE and 12.1-RELEASE.
I would recommend emailing a corrected security advisory announcement
for consistency with all previous security advisory announcements I've
ever seen.  Thank you for your attention.                    -- George

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20191114/07e0f71d/attachment.sig>

More information about the freebsd-hackers mailing list