[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer
From: |
Daniel P . Berrangé |
Subject: |
Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer |
Date: |
Tue, 21 Feb 2023 10:17:51 +0000 |
User-agent: |
Mutt/2.2.9 (2022-11-12) |
On Tue, Feb 21, 2023 at 09:15:15AM +0100, Philippe Mathieu-Daudé wrote:
> On 20/2/23 18:41, Konstantin Kostiuk wrote:
> > resolves: rhbz#2167436
>
> "You are not authorized to access bug #2167436."
>
> > fixes: CVE-2023-0664
>
> This commit description is rather scarce...
>
> I understand you are trying to fix a CVE, but we shouldn't play
> the "security by obscurity" card. How can the community and
> distributions know this security fix is enough with the bare
> "Remove change action from MSI installer" justification?
> Can't we do better?
Yes, commit messages should always describe the problem being
solved directly. Bug trackers usually make people wade through
piles of irrelevant comments & potentially misleading blind
alleys during the back & forth of triage. The important info
needs to be distilled down and put in the commit message,
concisely describing the problem faced. Bug tracker links have
been known to bit-rot too.
The commit message needs to focus on /why/ the change was made,
much more than describing /what/ was changed.
> > Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> > ---
> > qga/installer/qemu-ga.wxs | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> > index 51340f7ecc..feb629ec47 100644
> > --- a/qga/installer/qemu-ga.wxs
> > +++ b/qga/installer/qemu-ga.wxs
> > @@ -31,6 +31,7 @@
> > />
> > <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab"
> > EmbedCab="yes" />
> > <Property Id="WHSLogo">1</Property>
> > + <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
> > <MajorUpgrade
> > DowngradeErrorMessage="Error: A newer version of QEMU guest agent
> > is already installed."
> > />
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|