On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote: > Hi Ben, > > I have prepared an update for CVE-2018-5383/firmware-nonfree by backporting the > fixed firmware from the upstream repo that I could find. See my two commits in: > > https://salsa.debian.org/pochu/firmware-nonfree/commits/jessie-security > > I built the packages and compared one of the non-affected packages (qlogic) and > only the changelog has changed. Comparing atheros, the two drivers are updated, > and for intel some of the files are updated. However I see that for intel there > are some drivers that we don't ship in that version of firmware-nonfree, e.g. > ibt-{17,18}-*. For those, I wonder if we should update and ship them. If there's > any user with that hardware, they would need a firmware update I suppose. firmware-nonfree is meant to support the kernel version(s) shipped in the same suite, in the previous release, or in intermediate versions. So for jessie that's 3.2-4.9 inclusive. If one of those kernel versions may request the added files then they should be packaged. Otherwise it's not necessary - users installing a newer kernel package from another suite can get the firmware packages from there too. > (It > may be unlikely for old suites to have users with new hardware, however it's > possible and users that don't have it will be unaffected by the new firmware, so > it wouldn't hurt to ship it.) > > My branch is for jessie but I can prepare it for stretch too if you think that's > worth it. The current jessie-security version of firmware-nonfree is really a backport from stretch. So I would prefer it if you update the stretch branch first and then merge that to jessie-security. Ben. -- Ben Hutchings friends: People who know you well, but like you anyway.
Attachment:
signature.asc
Description: This is a digitally signed message part