From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 832A6D81164 for ; Wed, 24 Jan 2024 14:35:54 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=xSDeSzptokWvjlsYHPPHj5nc05c3gFrjCm+tQEzo7+k=; c=relaxed/simple; d=groups.io; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:In-Reply-To:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Language:Content-Type:Content-Transfer-Encoding; s=20140610; t=1706106953; v=1; b=Ya+EqmwOTQitaO0yVguz2eCf6sooPVBnx9pxV+SHwW6clFheOElIYc3D02hNJ3hIiThuMSia R67T0eQ9JfZGKtnog4pKv3N4JR5FHpamVWnHpGvVJ8NikR/mL6I1ODm7iMKIwf/CobMFK30jbnz Nu4MbOEoEJOgE1XrQkrxdif4= X-Received: by 127.0.0.2 with SMTP id h997YY7687511xGPnVshbia7; Wed, 24 Jan 2024 06:35:53 -0800 X-Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.groups.io with SMTP id smtpd.web10.23939.1706106952392350197 for ; Wed, 24 Jan 2024 06:35:52 -0800 X-Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-277-1Z8Td7-9MH-aGrV39Xy5SA-1; Wed, 24 Jan 2024 09:35:49 -0500 X-MC-Unique: 1Z8Td7-9MH-aGrV39Xy5SA-1 X-Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id EFD691097ACF; Wed, 24 Jan 2024 14:35:46 +0000 (UTC) X-Received: from [10.39.195.127] (unknown [10.39.195.127]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4E1862028CD4; Wed, 24 Jan 2024 14:35:46 +0000 (UTC) Message-ID: Date: Wed, 24 Jan 2024 15:35:45 +0100 MIME-Version: 1.0 Subject: Re: [edk2-devel] pixiefail To: devel@edk2.groups.io, dougflick@microsoft.com, Gerd Hoffmann Cc: Jon Maloy References: From: "Laszlo Ersek" In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,lersek@redhat.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: okca5UNbJAFcjl3Pqp2X5BeBx7686176AA= Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=Ya+EqmwO; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=redhat.com (policy=none) On 1/23/24 19:49, Doug Flick via groups.io wrote: > Gerd, >=20 > As a new EDK2 developer, I'm working through getting the patches up > to EDK2 but I have to follow the EDK2 patch process which is not the > fastest thing to follow and also not my day job. If you want to see > where I am you can look at the CI Pipeline. The patches were reviewed > during the GHSA process by the Infosec group and have been shipping > in devices already. I'm hoping to have the patches on the mailing > list by EOD. This is a great topic for ways we can speed up the > review process and contribution process - particularly for security > patches and it would be great to get more people actively involved in > reviews and testing during creation and delivery of patches. The review process for embargoed security patches has never been worked out, to my knowledge. Bugzilla is unsuitable for that. (I'm speaking from experience. It is impossible to comment sensibly on patches attached to bugzilla tickets, and in particular incremental reviews are terrible.) In some other projects, email based patch review remains the process for embargoed patches too, with one difference to the normal process: either no mailing list is included (that is, the email thread, including the initial posting of the series, keeps addressing the same fixed set of humans), or else, a mailing list with no public archives, and with hand-moderated memberships, is included. This permits for the same tooling (git-am for local testing, and inline review comments) as the normal, public workflow. However, some of the edk2 participants don't consider such an email-based process secure enough for circulating embargoed patches. A closed organization on github.com might be used as a replacement. That would have its own problems, though (inconsistency with the normal patch review process, extra management of memberships, disappearance of early (hence, not merged) versions of security patch sets, etc). I figure the most flexible approach for those that dislike email-based review for embargoed patches would be if github.com supported locked down *PRs* (i.e., not private organizatons). In other words, if those PRs would be submitted against the same base repository and master branch as every other PR, *but* they wouldn't be visible to anyone except to a restricted group, and could never be merged. (For merging, the approved version of the series would have to be posted publicly, after the embargo.) ... Technically, the last paragraph could be implemented with current github.com features: create a locked-down organization, fork edk2 under that organization (without adding any non-upstream changes to the fork), and submit the embargoed patch series as a PR against the fork. Never merge the patch set into the fork (only use the fork for patch review). Laszlo -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#114304): https://edk2.groups.io/g/devel/message/114304 Mute This Topic: https://groups.io/mt/103913088/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/leave/12367111/7686176/19134562= 12/xyzzy [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-