Soft Feature Freeze starts now for edk2-stable202002


Liming Gao
 

Hi, all
We will enter into Soft Feature Freeze phase. In this phase, the feature under review will not be allowed to be pushed. The patch review can continue without break in edk2 community.

If the patch is sent before Soft Feature Freeze, and plans to catch this stable tag, the patch contributor need reply to his patch and notify edk2 community.
If the patch is sent after Soft Feature Freeze, and plans to catch this stable tag, please add edk2-stable202002 key words in the patch title and BZ, so the community know this patch target and give the feedback.

Below is edk2-stable202002 tag planning https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Planning
Proposed Schedule
Date (00:00:00 UTC-8) Description
2019-12-02 Beginning of development
2020-02-07 Feature Planning Freeze
2020-02-14 Soft Feature Freeze
2020-02-21 Hard Feature Freeze
2020-02-28 Release

Thanks
Liming


Tim Lewis
 

Liming --

Is there any plan to list all of the security fixes related CVEs that are
being checked in to the list of official features for this stable tag? We
have listed the Boot Guard one.

Thanks,
Tim Lewis
CTO, Insyde Software
www.insyde.com

-----Original Message-----
From: announce@edk2.groups.io <announce@edk2.groups.io> On Behalf Of Liming
Gao
Sent: Friday, February 14, 2020 12:19 AM
To: devel@edk2.groups.io; announce@edk2.groups.io
Cc: Guptha, Soumya K <soumya.k.guptha@intel.com>; Kinney, Michael D
<michael.d.kinney@intel.com>; Laszlo Ersek <lersek@redhat.com>;
afish@apple.com; leif.lindholm@linaro.org
Subject: [edk2-announce] Soft Feature Freeze starts now for
edk2-stable202002

Hi, all
We will enter into Soft Feature Freeze phase. In this phase, the feature
under review will not be allowed to be pushed. The patch review can continue
without break in edk2 community.

If the patch is sent before Soft Feature Freeze, and plans to catch this
stable tag, the patch contributor need reply to his patch and notify edk2
community.
If the patch is sent after Soft Feature Freeze, and plans to catch this
stable tag, please add edk2-stable202002 key words in the patch title and
BZ, so the community know this patch target and give the feedback.

Below is edk2-stable202002 tag planning
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Plannin
g
Proposed Schedule
Date (00:00:00 UTC-8) Description
2019-12-02 Beginning of development
2020-02-07 Feature Planning Freeze
2020-02-14 Soft Feature Freeze
2020-02-21 Hard Feature Freeze
2020-02-28 Release

Thanks
Liming


Liming Gao
 

Tim:
There is no special list for the security fixes. All bug fixes will be found in Bugzilla List in stable tag wiki, such as https://github.com/tianocore/edk2/releases/tag/edk2-stable201911
Boot Guard is as the feature. So, it is listed in the feature planning.

Thanks
Liming

-----Original Message-----
From: announce@edk2.groups.io <announce@edk2.groups.io> On Behalf Of Tim Lewis
Sent: Saturday, February 15, 2020 2:53 AM
To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io; announce@edk2.groups.io
Cc: Guptha, Soumya K <soumya.k.guptha@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; 'Laszlo Ersek'
<lersek@redhat.com>; afish@apple.com; leif.lindholm@linaro.org
Subject: Re: [edk2-announce] Soft Feature Freeze starts now for edk2-stable202002

Liming --

Is there any plan to list all of the security fixes related CVEs that are
being checked in to the list of official features for this stable tag? We
have listed the Boot Guard one.

Thanks,
Tim Lewis
CTO, Insyde Software
www.insyde.com

-----Original Message-----
From: announce@edk2.groups.io <announce@edk2.groups.io> On Behalf Of Liming
Gao
Sent: Friday, February 14, 2020 12:19 AM
To: devel@edk2.groups.io; announce@edk2.groups.io
Cc: Guptha, Soumya K <soumya.k.guptha@intel.com>; Kinney, Michael D
<michael.d.kinney@intel.com>; Laszlo Ersek <lersek@redhat.com>;
afish@apple.com; leif.lindholm@linaro.org
Subject: [edk2-announce] Soft Feature Freeze starts now for
edk2-stable202002

Hi, all
We will enter into Soft Feature Freeze phase. In this phase, the feature
under review will not be allowed to be pushed. The patch review can continue
without break in edk2 community.

If the patch is sent before Soft Feature Freeze, and plans to catch this
stable tag, the patch contributor need reply to his patch and notify edk2
community.
If the patch is sent after Soft Feature Freeze, and plans to catch this
stable tag, please add edk2-stable202002 key words in the patch title and
BZ, so the community know this patch target and give the feedback.

Below is edk2-stable202002 tag planning
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-Plannin
g
Proposed Schedule
Date (00:00:00 UTC-8) Description
2019-12-02 Beginning of development
2020-02-07 Feature Planning Freeze
2020-02-14 Soft Feature Freeze
2020-02-21 Hard Feature Freeze
2020-02-28 Release

Thanks
Liming






Tim Lewis
 

Liming --

Thanks for the pointer.

The reason I ask is that many users of open source projects such as EDKII
scan the releases for CVE numbers in order to make sure that critical
components get updated. This is due to the fact that CVEs often need to be
reported to downstream users. The Bugzilla list is a little hidden, since
these CVE fixes are not called out directly in the wiki page. It would be
much easier if the BZ items that are related to security fixes are promoted
directly to the wiki page, not just available through a BZ query.

Thanks

Tim

-----Original Message-----
From: Gao, Liming <liming.gao@intel.com>
Sent: Sunday, February 16, 2020 9:20 PM
To: Tim Lewis <tim.lewis@insyde.com>; devel@edk2.groups.io;
announce@edk2.groups.io
Cc: Guptha, Soumya K <soumya.k.guptha@intel.com>; Kinney, Michael D
<michael.d.kinney@intel.com>; 'Laszlo Ersek' <lersek@redhat.com>;
afish@apple.com; leif.lindholm@linaro.org
Subject: RE: [edk2-announce] Soft Feature Freeze starts now for
edk2-stable202002

Tim:
There is no special list for the security fixes. All bug fixes will be
found in Bugzilla List in stable tag wiki, such as
https://github.com/tianocore/edk2/releases/tag/edk2-stable201911
Boot Guard is as the feature. So, it is listed in the feature planning.

Thanks
Liming
-----Original Message-----
From: announce@edk2.groups.io <announce@edk2.groups.io> On Behalf Of
Tim Lewis
Sent: Saturday, February 15, 2020 2:53 AM
To: Gao, Liming <liming.gao@intel.com>; devel@edk2.groups.io;
announce@edk2.groups.io
Cc: Guptha, Soumya K <soumya.k.guptha@intel.com>; Kinney, Michael D
<michael.d.kinney@intel.com>; 'Laszlo Ersek'
<lersek@redhat.com>; afish@apple.com; leif.lindholm@linaro.org
Subject: Re: [edk2-announce] Soft Feature Freeze starts now for
edk2-stable202002

Liming --

Is there any plan to list all of the security fixes related CVEs that
are being checked in to the list of official features for this stable
tag? We have listed the Boot Guard one.

Thanks,
Tim Lewis
CTO, Insyde Software
www.insyde.com

-----Original Message-----
From: announce@edk2.groups.io <announce@edk2.groups.io> On Behalf Of
Liming Gao
Sent: Friday, February 14, 2020 12:19 AM
To: devel@edk2.groups.io; announce@edk2.groups.io
Cc: Guptha, Soumya K <soumya.k.guptha@intel.com>; Kinney, Michael D
<michael.d.kinney@intel.com>; Laszlo Ersek <lersek@redhat.com>;
afish@apple.com; leif.lindholm@linaro.org
Subject: [edk2-announce] Soft Feature Freeze starts now for
edk2-stable202002

Hi, all
We will enter into Soft Feature Freeze phase. In this phase, the
feature under review will not be allowed to be pushed. The patch
review can continue without break in edk2 community.

If the patch is sent before Soft Feature Freeze, and plans to catch
this stable tag, the patch contributor need reply to his patch and
notify edk2 community.
If the patch is sent after Soft Feature Freeze, and plans to catch
this stable tag, please add edk2-stable202002 key words in the patch
title and BZ, so the community know this patch target and give the
feedback.

Below is edk2-stable202002 tag planning
https://github.com/tianocore/tianocore.github.io/wiki/EDK-II-Release-P
lannin
g
Proposed Schedule
Date (00:00:00 UTC-8) Description
2019-12-02 Beginning of development
2020-02-07 Feature Planning Freeze
2020-02-14 Soft Feature Freeze
2020-02-21 Hard Feature Freeze
2020-02-28 Release

Thanks
Liming






Laszlo Ersek
 

On 02/17/20 06:49, tim.lewis@insyde.com wrote:
Liming --

Thanks for the pointer.

The reason I ask is that many users of open source projects such as EDKII
scan the releases for CVE numbers in order to make sure that critical
components get updated. This is due to the fact that CVEs often need to be
reported to downstream users. The Bugzilla list is a little hidden, since
these CVE fixes are not called out directly in the wiki page. It would be
much easier if the BZ items that are related to security fixes are promoted
directly to the wiki page, not just available through a BZ query.
* Any commit that fixes a CVE is supposed to carry the CVE ID in its
subject, in the git history. So if you do

$ git log --oneline --reverse edk2-stable201911..master | grep CVE

that should give you the list.

Right now, it gives me:

- CVE-2019-14563
- CVE-2019-14586
- CVE-2019-14558

* For CVE patches pending review, the mailing list can be searched
similarly. (E.g. "posted after a certain date, plus has both "CVE" and
"PATCH" in subject.)

The pending fixes seem to be for:

- CVE-2019-14575
- CVE-2019-14587
- CVE-2019-14559


(Your question is precisely why I've always asked for CVE IDs in patch
subjects.)

Thanks
Laszlo