From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.61])
 by mx.groups.io with SMTP id smtpd.web09.1196.1582056282750274396
 for <devel@edk2.groups.io>;
 Tue, 18 Feb 2020 12:04:43 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=RvODBzJd;
 spf=pass (domain: redhat.com, ip: 205.139.110.61, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1582056281;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=+KXN/ggM5u2wc0NNV1Ai2VKudxpHc7fgOTICjLQ0sUk=;
	b=RvODBzJd6tPFYab8OIuB9x/snQvn1tw3jmkOfvG0QaVjwW9bW4UnoW3XEGOOFj4Vjw2IxZ
	jrXPSdp7XM9F+fkSpyyH40QmnYT+CpQE9zqEPrRXLuTJdsHkraiLSVH454Oaxi8FcfM7pq
	hxP2HPsKN4FDaloObR4saiTMiurGw6c=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-282-tEFTJkOBO0GuJQwbePc1RQ-1; Tue, 18 Feb 2020 15:04:31 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0427E1414;
	Tue, 18 Feb 2020 20:04:30 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (unknown [10.36.118.49])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 2EE4119481;
	Tue, 18 Feb 2020 20:04:27 +0000 (UTC)
From: "Laszlo Ersek" <lersek@redhat.com>
Subject: Re: Patch List for 202002 stable tag
To: "Gao, Liming" <liming.gao@intel.com>,
 "Guptha, Soumya K" <soumya.k.guptha@intel.com>,
 "Kinney, Michael D" <michael.d.kinney@intel.com>,
 "leif@nuviainc.com" <leif@nuviainc.com>, "afish@apple.com" <afish@apple.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>
References: <7f58502307c643999e73ee73673f5fae@intel.com>
Message-ID: <b5ce3366-2a08-2853-fb05-e967564056de@redhat.com>
Date: Tue, 18 Feb 2020 21:04:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <7f58502307c643999e73ee73673f5fae@intel.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-MC-Unique: tEFTJkOBO0GuJQwbePc1RQ-1
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

On 02/18/20 15:08, Gao, Liming wrote:
> Hi Stewards and all:
>   I collect current patch lists in devel mail list. Those patch
>   contributors request to add them for 201902 stable tag. Because we
>   have enter into Soft Feature Freeze, I want to collect your feedback
>   for them. If any patches are missing, please reply this mail to add
>   them.
>
> Feature List (under review):

According to
<https://github.com/tianocore/tianocore.github.io/wiki/SoftFeatureFreeze>,
features can be merged during the SFF if their review completed before
the SFF.

The SFF date is 2020-02-14 00:00:00 UTC-8, per
<https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning>.
For me (in CET = UTC+1), that makes the deadline 2020-02-14 09:00:00
CET.

> https://edk2.groups.io/g/devel/topic/patch_v3_0_1_add_pcd_to/69401948
> [PATCH v3 0/1] Add PCD to disable safe string constraint assertions
> (solution under discussion)

Posted on 2020-01-03. Review doesn't appear complete. Technically
speaking, it has missed edk2-stable202002.

There were two large gaps in the review process, namely between these
messages:

- https://edk2.groups.io/g/devel/message/53026 [2020-01-08]
- https://edk2.groups.io/g/devel/message/53485 [2020-01-27]
- https://edk2.groups.io/g/devel/message/54133 [2020-02-10]

If review seems stuck, it's advisable to ping once per week, or a bit
more frequently. Two weeks ore more between pings is way too long.

> https://edk2.groups.io/g/devel/message/54122 [PATCH 1/1] ShellPkg: Add
> support for input with separately reported modifiers (under review, is
> this a feature or bug in the disucssion)

The subject starts with "Add support for...", so it's a new feature, or
at least a feature-enablement.

Posted on 2020-02-10. Has not been reviewed yet, AFAICT. Same situation
as above. (Missed edk2-stable202002, technically speaking.)

Note: I don't have a personal preference either way. I'm just pointing
out what the SFF definition formally dictates, in my interpretation.

If we want to extend the freeze dates, I won't object.

> Bug List (reviewed):
> https://edk2.groups.io/g/devel/message/54416 [PATCH v2 00/10] Fix
> false negative issue in DxeImageVerificationHandler(CVE-2019-14575)

Clearly a bug fix; it could go in even during the HFF
<https://github.com/tianocore/tianocore.github.io/wiki/HardFeatureFreeze>.

> https://edk2.groups.io/g/devel/message/54523 [PATCH
> v1][edk2-stable202002] MdeModulePkg/SdMmcPciHcDxe: Fix double PciIo
> Unmap in TRB creation (CVE-2019-14587)

Ditto.

> https://edk2.groups.io/g/devel/message/54510 [PATCH v6 0/2]
> Enhancement and Fixes to BaseHashApiLib

Hm. I feel like I need some convincing that patch#1 --
"CryptoPkg/BaseHashApiLib: Align BaseHashApiLib with TPM 2.0
Implementation" -- is *also* a bugfix (like patch#2).

That question matters because the reviews:

- https://edk2.groups.io/g/devel/message/54513
- https://edk2.groups.io/g/devel/message/54567

were not posted before the SFF.

... I guess it's OK.

> https://edk2.groups.io/g/devel/message/53703 [PATCH V2] UefiCpuPkg
> RegisterCpuFeaturesLib: Match data type and format specifier

Even if this were a feature, it could go in; the review was posted in
time:
- https://edk2.groups.io/g/devel/message/53803

In fact I don't understand why it hasn't been merged for more than a
week now!

> https://edk2.groups.io/g/devel/message/53577 [PATCH v1 1/1] ShellPkg:
> acpiview: Remove duplicate ACPI structure size definitions

Approved in time, regardless of bugfix vs. feature. Should go in.

> https://edk2.groups.io/g/devel/message/54192 [PATCH v2 1/1] ShellPkg:
> acpiview: Validate ACPI table 'Length' field

The review was posted past the SFF, but I agree this looks like a
bugfix, so should be OK. (Supplying missing input sanitization is
arguably a fix.)

>
> Bug List (under review)
> https://edk2.groups.io/g/devel/message/54361 [PATCH 1/1]
> NetworkPkg/ArpDxe: Recycle invalid ARP packets(CVE-2019-14559)
> https://edk2.groups.io/g/devel/message/54569 [PATCH v3]
> NetworkPkg/Ip4Dxe: Check the received package length (CVE-2019-14559)

CVE fixes can clearly go in during the HFF too.

> https://edk2.groups.io/g/devel/message/54448 [PATCH v1 1/1] ShellPkg:
> acpiview: Prevent infinite loop if structure length is 0

Similar to "ShellPkg: acpiview: Validate ACPI table 'Length' field";
should be OK.


Just my opinion, of course.

Thanks
Laszlo