From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.groups.io with SMTP id smtpd.web10.6294.1570636491699606247 for ; Wed, 09 Oct 2019 08:54:51 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: redhat.com, ip: 209.132.183.28, mailfrom: lersek@redhat.com) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3CD63A44AF2; Wed, 9 Oct 2019 15:54:51 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-120-11.rdu2.redhat.com [10.10.120.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id EBED76060D; Wed, 9 Oct 2019 15:54:49 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v1 0/4] Support HTTPS HostName validation feature(CVE-2019-14553) From: "Laszlo Ersek" To: devel@edk2.groups.io, jian.j.wang@intel.com, "Wu, Jiaxin" , David Woodhouse , Bret Barkelew Reply-To: devel@edk2.groups.io, lersek@redhat.com References: <20190927034441.3096-1-Jiaxin.wu@intel.com> <69774fe6-ea00-44b9-5468-c092dea6cd36@redhat.com> Message-ID: Date: Wed, 9 Oct 2019 17:54:48 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <69774fe6-ea00-44b9-5468-c092dea6cd36@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.68]); Wed, 09 Oct 2019 15:54:51 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit On 10/01/19 01:21, Laszlo Ersek wrote: > On 09/29/19 08:09, Wang, Jian J wrote: >> For this patch series, >> 1. " Contributed-under: TianoCore Contribution Agreement 1.1" is not needed any more. >> Remove it at push time and no need to send a v2. >> 2. Since it's security patch which had been reviewed separately, I see no reason for new r-b >> required. Please raise it asap if any objections. >> 3. Acked-by: Jian J Wang > > > * Can you please confirm that these patches match those that we > discussed here: > > https://bugzilla.tianocore.org/show_bug.cgi?id=960#c18 > https://bugzilla.tianocore.org/show_bug.cgi?id=960#c19 To answer my own question, I've now compared the patches from those BZ comments linked above, with the present series. Here's a list of differences. (1) The subject lines now include the reference "(CVE-2019-14553)". This is great, *but* please be sure to insert a space character before the opening parenthesis! (In every patch.) (2) The commit messages reference both the BZ and the CVE number. Good. (3) In the commit messages, the line Contributed-under: TianoCore Contribution Agreement 1.0 has been upgraded to Contributed-under: TianoCore Contribution Agreement 1.1 I think this is wrong. The lines should have been removed, due to the SPDX adoption. Please update all the commit messages. (4) Copyright notice updates are gone from the patches. That's fine: the reason is that the underlying files have seen their copyright notices updated, meanwhile. Otherwise, the patches (code, commit messages, and feedback tags) are identical. Before you push the patches (or post a v2), please fix issues (1) and (3). Now, regarding the other set of questions: > * In the BZ, David and Bret raised some questions: > > https://bugzilla.tianocore.org/show_bug.cgi?id=960#c31 > https://bugzilla.tianocore.org/show_bug.cgi?id=960#c32 > https://bugzilla.tianocore.org/show_bug.cgi?id=960#c35 > https://bugzilla.tianocore.org/show_bug.cgi?id=960#c36 > > and > > https://bugzilla.tianocore.org/show_bug.cgi?id=960#c40 > > The latest comment in the bug is c#41. I'm not under the impression that > all concerns raised by David and Bret have been addressed (or > abandoned). I'd like David and Bret to ACK the patches. I'll first have to process the new comments down-thread. Thanks Laszlo