Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer

From:	Daniel P . Berrangé
Subject:	Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer
Date:	Tue, 21 Feb 2023 10:17:51 +0000
User-agent:	Mutt/2.2.9 (2022-11-12)

On Tue, Feb 21, 2023 at 09:15:15AM +0100, Philippe Mathieu-Daudé wrote:
> On 20/2/23 18:41, Konstantin Kostiuk wrote:
> > resolves: rhbz#2167436
> 
> "You are not authorized to access bug #2167436."
> 
> > fixes: CVE-2023-0664
> 
> This commit description is rather scarce...
> 
> I understand you are trying to fix a CVE, but we shouldn't play
> the "security by obscurity" card. How can the community and
> distributions know this security fix is enough with the bare
> "Remove change action from MSI installer" justification?
> Can't we do better?

Yes, commit messages should always describe the problem being
solved directly. Bug trackers usually make people wade through
piles of irrelevant comments & potentially misleading blind
alleys during the back & forth of triage. The important info
needs to be distilled down and put in the commit message,
concisely describing the problem faced. Bug tracker links have
been known to bit-rot too.

The commit message needs to focus on /why/ the change was made,
much more than describing /what/ was changed.

> > Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> > ---
> >   qga/installer/qemu-ga.wxs | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
> > index 51340f7ecc..feb629ec47 100644
> > --- a/qga/installer/qemu-ga.wxs
> > +++ b/qga/installer/qemu-ga.wxs
> > @@ -31,6 +31,7 @@
> >         />
> >       <Media Id="1" Cabinet="qemu_ga.$(var.QEMU_GA_VERSION).cab" 
> > EmbedCab="yes" />
> >       <Property Id="WHSLogo">1</Property>
> > +    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
> >       <MajorUpgrade
> >         DowngradeErrorMessage="Error: A newer version of QEMU guest agent 
> > is already installed."
> >         />

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/2] QGA installer fixes, Konstantin Kostiuk, 2023/02/20
- [PATCH 2/2] qga/win32: Use rundll for VSS installation, Konstantin Kostiuk, 2023/02/20
  - Re: [PATCH 2/2] qga/win32: Use rundll for VSS installation, Yan Vugenfirer, 2023/02/21
- [PATCH 1/2] qga/win32: Remove change action from MSI installer, Konstantin Kostiuk, 2023/02/20
  - Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer, Yan Vugenfirer, 2023/02/21
  - Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer, Philippe Mathieu-Daudé, 2023/02/21
    - Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer, Mauro Matteo Cascella, 2023/02/21
    - Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer, Konstantin Kostiuk, 2023/02/21
    - Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer, Daniel P . Berrangé <=

Prev by Date: Re: [PATCH v2 11/14] tests: add tuxrun baseline test to avocado
Next by Date: Re: [PATCH] hw/arm/virt: Prevent CPUs in one socket to span mutiple NUMA nodes
Previous by thread: Re: [PATCH 1/2] qga/win32: Remove change action from MSI installer
Next by thread: git check-rebase - compare branches
Index(es):
- Date
- Thread