Re: Patch List for 202002 stable tag

["Laszlo Ersek" <lersek@redhat.com>]

On 02/18/20 15:08, Gao, Liming wrote:
> Hi Stewards and all:
>   I collect current patch lists in devel mail list. Those patch
>   contributors request to add them for 201902 stable tag. Because we
>   have enter into Soft Feature Freeze, I want to collect your feedback
>   for them. If any patches are missing, please reply this mail to add
>   them.
>
> Feature List (under review):

According to
<https://github.com/tianocore/tianocore.github.io/wiki/SoftFeatureFreeze>,
features can be merged during the SFF if their review completed before
the SFF.

The SFF date is 2020-02-14 00:00:00 UTC-8, per
<https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning>.
For me (in CET = UTC+1), that makes the deadline 2020-02-14 09:00:00
CET.

> https://edk2.groups.io/g/devel/topic/patch_v3_0_1_add_pcd_to/69401948
> [PATCH v3 0/1] Add PCD to disable safe string constraint assertions
> (solution under discussion)

Posted on 2020-01-03. Review doesn't appear complete. Technically
speaking, it has missed edk2-stable202002.

There were two large gaps in the review process, namely between these
messages:

- https://edk2.groups.io/g/devel/message/53026 [2020-01-08]
- https://edk2.groups.io/g/devel/message/53485 [2020-01-27]
- https://edk2.groups.io/g/devel/message/54133 [2020-02-10]

If review seems stuck, it's advisable to ping once per week, or a bit
more frequently. Two weeks ore more between pings is way too long.

> https://edk2.groups.io/g/devel/message/54122 [PATCH 1/1] ShellPkg: Add
> support for input with separately reported modifiers (under review, is
> this a feature or bug in the disucssion)

The subject starts with "Add support for...", so it's a new feature, or
at least a feature-enablement.

Posted on 2020-02-10. Has not been reviewed yet, AFAICT. Same situation
as above. (Missed edk2-stable202002, technically speaking.)

Note: I don't have a personal preference either way. I'm just pointing
out what the SFF definition formally dictates, in my interpretation.

If we want to extend the freeze dates, I won't object.

> Bug List (reviewed):
> https://edk2.groups.io/g/devel/message/54416 [PATCH v2 00/10] Fix
> false negative issue in DxeImageVerificationHandler(CVE-2019-14575)

Clearly a bug fix; it could go in even during the HFF
<https://github.com/tianocore/tianocore.github.io/wiki/HardFeatureFreeze>.

> https://edk2.groups.io/g/devel/message/54523 [PATCH
> v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo
> Unmap in TRB creation (CVE-2019-14587)

Ditto.

> https://edk2.groups.io/g/devel/message/54510 [PATCH v6 0/2]
> Enhancement and Fixes to BaseHashApiLib

Hm. I feel like I need some convincing that patch#1 --
"CryptoPkg/BaseHashApiLib: Align BaseHashApiLib with TPM 2.0
Implementation" -- is *also* a bugfix (like patch#2).

That question matters because the reviews:

- https://edk2.groups.io/g/devel/message/54513
- https://edk2.groups.io/g/devel/message/54567

were not posted before the SFF.

... I guess it's OK.

> https://edk2.groups.io/g/devel/message/53703 [PATCH V2] UefiCpuPkg
> RegisterCpuFeaturesLib: Match data type and format specifier

Even if this were a feature, it could go in; the review was posted in
time:
- https://edk2.groups.io/g/devel/message/53803

In fact I don't understand why it hasn't been merged for more than a
week now!

> https://edk2.groups.io/g/devel/message/53577 [PATCH v1 1/1] ShellPkg:
> acpiview: Remove duplicate ACPI structure size definitions

Approved in time, regardless of bugfix vs. feature. Should go in.

> https://edk2.groups.io/g/devel/message/54192 [PATCH v2 1/1] ShellPkg:
> acpiview: Validate ACPI table 'Length' field

The review was posted past the SFF, but I agree this looks like a
bugfix, so should be OK. (Supplying missing input sanitization is
arguably a fix.)

>
> Bug List (under review)
> https://edk2.groups.io/g/devel/message/54361 [PATCH 1/1]
> NetworkPkg/ArpDxe: Recycle invalid ARP packets(CVE-2019-14559)
> https://edk2.groups.io/g/devel/message/54569 [PATCH v3]
> NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559)

CVE fixes can clearly go in during the HFF too.

> https://edk2.groups.io/g/devel/message/54448 [PATCH v1 1/1] ShellPkg:
> acpiview: Prevent infinite loop if structure length is 0

Similar to "ShellPkg: acpiview: Validate ACPI table 'Length' field";
should be OK.


Just my opinion, of course.

Thanks
Laszlo