[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: bind9 LTS

Hi Sean, all

I'm starting to lean toward your idea, to release a snapshot version,
but I have a concern about that.
To me it looks like 9.11 track have actually an ABI change. It is not
so visible but a data structure is changed to increase the size and
I'm not 100% sure this is ABI compatible. I could be wrong.

In any case, the work effort needed to fix the current CVEs is large.
Considering the size of the changes there is quite a significant risk
in backporting. The patches are large and rather intrusive. I see a
significant risk in breaking something regardless whether we take the
snapshot version or backport individual things.

In any case I have found out the following:
- The correction for CVE-2023-4408 is intrusive. This is where I think
we have a potential ABI change. There is an API backport and if the
API changes the ABI is likely to change too. But maybe it is not. I'm
not an expert on bind9. The total size of this patch is over 3000
lines so it is large.
- The correction for CVE-2023-50868 and CVE-2023-50387 takes a lot of
time to make. I have now waded through a lot of patch apply failures
and fixed them all. I have fixed build failures in validator.c and I'm
now working on task.c build failures. There are some potential ABI
changes too, but I have not checked those details too much yet. This
patch file is 677 lines long so it is quite large.

Before I continue this path, I think I should ask you one thing. You
mentioned that "applying 88ff84ae2a first" means less rebasing. But I
do not find such a commit. I find the other ones, but not that one. Do
you happen to have a copy? Maybe it can help me to reduce the work of
fixing all build errors. There are quite a few and in task.c they will
require quite a lot more.

Also did you try to compile after you applied? Just checking to see if
I can re-use some of your work.

Thank you in advance.

Cheers

// Ola

On Sun, 14 Apr 2024 at 06:22, Sean Whitton <spwhitton@spwhitton.name> wrote:
>
> Hello,
>
> On Sun 14 Apr 2024 at 10:14am +08, Sean Whitton wrote:
>
> > Hello,
> >
> > On Sat 13 Apr 2024 at 10:04am +02, Ola Lundqvist wrote:
> >
> >> Do you happen to have reference to specific commits to look at?
> >> You seem to have that since you refer to them as too big to backport.
> >
> > Yes, here you go, hopefully this format is helpful:
> >
> >     * 92b4f88bc8..: Michał Kępień 2024-02-22 Merge branch
> > '4234-use-hashmap-when-parsing-9.11' into 'bind-9.11'
> >     |\
> >     | * 1f9bbe1fe3..: Ondřej Surý 2024-02-11 Add a system test for mixed-case
> >     | data for the same owner
> >     | * 418b379359..: Ondřej Surý 2024-02-11 Fix case insensitive matching in
> >     | isc_ht hash table implementation
> >     | * c6026cbbaa..: Mark Andrews 2024-01-31 Apply various tweaks specific to BIND 9.11
> >     | * bbbcaf8b2e..: Evan Hunt 2024-01-29 fix another message parsing regression
> >     | * 98ab8c81cc..: Evan Hunt 2024-01-16 fix a message parsing regression
> >     | * 1296d37687..: Matthijs Mekking 2023-11-14 Fix windows build, remove external symbols
> >     | * 40a0656e6a..: Ondřej Surý 2023-10-11 Add CHANGES for [GL #4234]
> >     | * 2fc28056b3..: Ondřej Surý 2023-10-11 Backport isc_ht API changes from BIND 9.18
> >     | * 0ceed03ebe..: Ondřej Surý 2023-09-11 Use hashtable when parsing a message
> >     |/
>
> I also found that applying 88ff84ae2a first means less rebasing.
>
> --
> Sean Whitton



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
 ---------------------------------------------------------------
Reply to: