Re: code review CVS

["Pierre-Yves Rofes" <py () gentoo org>]

On Thu, February 21, 2008 7:24 am, Vincent Danen wrote:
> * [2008-02-20 17:51:47 -0800] Kees Cook wrote:
>
> > > I like the patch idea, however.  A "vendor patch" database of sorts
> > > would be nice (would save me from hunting from, say, ubuntu packages
> > > for
> > > a patch for something they already fixed, or looking at ubuntu for one,
> > > and SUSE for another because of version differences).
> >
> > I'd really like to have at least a "how to find a patch for [distro],
> > release [version]".  I have an easier time finding Debian patches,
> > for example, since http://snapshot.debian.net/ exists.  Ubuntu is a
> > bit less patch-hunter-friendly in that regard, but we try to alway keep
> > patches external to from the source tree, so they're easy to locate from
> > change logs.  Doing this with src.rpms follows a similar convention,
> > but can sometimes get tricky too.  Finding them can sometimes be a chore
> > -- I always bang my head when looking for RHEL src.rpms.  :)

[...]

> And I'd *love* to see what the Gentoo folks will link to.. =)  They have
> to be the biggest head-scratcher for me.

It's true that we currently don't have a centralized place for patches,
maybe we should work something out. For now, I'd say that the best option
is to use:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/<category>/<pkg>/
Then all patches should be in the "files" directory.

e.g. you want the last patch for an integer overflow in tcpdump, you'll
find it in:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/tcpdump/files/

But FYI, we generally use the patches from Debian :)

-- 
Pierre-Yves Rofes
Gentoo Linux Security Team