Hello Michael, hello *,
back at my desk, I saw your commits to the IPFire 2.x repository, and would like to confer the procedure of Core Updates 166 and 167 with you.
Given the current circumstances, I think it would make sense to treat Core Update 166 as a more pressing, security-relevant update, having the following issues covered:
- zlib: memory corruption (CVE-2018-25032 et al.) [I am working on a patch, as the current one is not sufficient anymore.]
- Linux kernel: CVE-2022-1015, CVE-2022-1016 [I volounteer to work on this.]
- apache: See https://patchwork.ipfire.org/project/ipfire/patch/20220316160912.1569-1-matt...
- bind: See https://patchwork.ipfire.org/project/ipfire/patch/20220322173203.1633-1-matt...
Aside from that, I would like to ship as many bugfixes that are currently staged in Core Update 167 with Core 166, to avoid unnecessary delays for the users.
Also, I will hand in a patch fixing #12807, which fell through the cracks due to high workload on my end. It is currently a show-stopper for IPFire Tor users. :-/
***
Does this sound fine to you? If so, since I cannot commit into the master branch, how should we coordinate this so you won't have the entire load of cherry-picking on your shoulders?
***
Regarding Core Update 167, I would see what's left in there after Core 166 is near- finished. Thanks for the linux-firmware patchset, but I am afraid this still leaves us with an update of an estimated size of 150 MBytes, which is too much.
At the moment, the only possibility I see is not to ship linux-firmware, but rather compress the files on the installations during the update.
Thanks, and best regards, Peter Müller