Re: [PATCH v2] verify: search keyid in hashed signature subpackets

[Ignat Korchagin]

Hi,

> please be patient

I'm not in a hurry. Like probably everyone else I have a fork repo where all changes are present. Just wanted to rely more on upstream in the future

> Unfortunately it takes time especially if backlog is huge

That is my point: if environment is more friendly, probably you would get more help in working through backlog

But, anyway, back to the patch: I recovered some of the context of my code, so here are the details

> I think this loop is overcomplicated. In all other places we assume that
> short read from grub_file_read means error.

This loop validates incorrect (or even bogus) signature format.

The format should be (simplified) |total len|subpack1|subpack2|....

Each subpacket has its own length specified as well

This loop tries to verify that the overall processed packet length match.

Since we we process arbitrary length here, I do not see a better approach

As for other concerns I commented in my previous reply to the patch.

Thank you.

On Mon, Dec 12, 2016 at 1:20 PM, Daniel Kiper <address@hidden> wrote:

Hi Ignat,

On Sun, Dec 11, 2016 at 02:51:00PM +0000, Ignat Korchagin wrote:
> General thoughts:
> Just a reminder: this patch tries to fix a BUG in code, which was
> present from the introduction of this functionality and acknowledged
> for more than 9 month now. The goal of this patch is to fix it without
> introducing too much change. We are spending too much time "improving"
> things and forgetting that basic functionality is broken.

[...]

Thank you for your work. I understand your POV but I think that Andrei's questions
are valid too. I know that this sounds stupid but please be patient. We are trying
to rectify all GRUB2 maintenance issues. Unfortunately it takes time especially if
backlog is huge. Personally I can promise that I will do my best to get your fixes
into 2.02 release. However, we need your support and a bit of understanding too.

Daniel