-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security changes from upstream 2.4.7-p3 #107
Conversation
@rhoerr shouldn't this kind of upstream-sync happen automatically? |
Unfortunately not in this case, because of how upstream handles security patch releases.
I hope that's clear, feel free to ask further if not. Something to consider: At what point do we pull the next feature release (Magento 2.4.8) into a Mage-OS release? Now, with 2.4.8-beta1? Only upon the final upstream release, in April 2025? We do want a more rapid development and release cycle than Magento, but pulling in 2.4.8 in alpha or beta stage would risk the release of stability problems and incomplete development. We released Mage-OS 1.0.0 shortly after Magento 2.4.7, so we have not had to seriously consider this before. (cc @Vinai ) |
@rhoerr: yesterday all security fixes from the past 3 security patch releases got merged upstream in |
IMHO i wouldn't merge untile 2.4.8 final @rhoerr if what @hostep says it's true then we should get an automerge and we could close this PR right? |
Thanks @hostep! Finally. 🙂
No, because the automerge is for
Thanks |
right, ok then this one is easy to merge after #106 |
No dependency on #106 because that's a separate branch. We'll need this processed/approved before we can build 1.0.5. |
@fballiano If you're able to help review this: I got the changes from upstream tags 2.4.7-p2 .. 2.4.7-p3 -- which should take us right to equivalence with 2.4.7-p3. I stripped out release changes (build versions and dependency constraints) to composer.json files. https://github.com/magento/magento2/compare/2.4.7-p2...2.4.7-p3.patch vs this PR: https://patch-diff.githubusercontent.com/raw/mage-os/mageos-magento2/pull/107.patch |
@rhoerr PHPCS is complaining about
should we address it ourselves or we keep the error in our codebase? |
@rhoerr I've applied magento/magento2@2.4.7-p2...2.4.7-p3 on top of release/1.x but I get a much bigger change, do you manually review all the changes? EG: https://github.com/magento/magento2/compare/2.4.7-p2...2.4.7-p3.diff I get a change to app/i18n/Magento/en_US/composer.json but it's not a part of this PR and it seems to me our file on release/1.x should be updated. |
I'm not opposed to us changing to TinyMCE6 before we release. We could fix the 2.4.7-p3 bugs with JS minifying and missing font size in the process. That should be a separate PR though, and we would need someone to actually do that work.
We can fix that -- small enough issue.
That's intentional -- no composer.json changes are included. I reviewed each one to confirm there aren't any impacting composer.json changes missed. The reason not to include those is the 2.4.7-p3 upstream tag is the built release (with package and dependency versions all resolved), but we need the unversioned/unresolved code for contributing purposes. Our release process creates similar composer.json changes for all the modules when it tags a release. |
the thing is, once GPL code enters the repo... it will create legal issues, I don't know how upstream will handle this but I would avoid merging it at the moment. magento2 (before this update) still was on tinymce5, they never updated to v6
as you wish, I just wouldn't want to have a workflow error spreading to all next PRs on this branch |
I don't think we can realistically avoid that overall though. The GPL code was already merged and released upstream. We can avoid releasing it in Mage-OS Distribution by changing to 6, but it already hit our One way or another, we're missing security fixes from upstream (even if relatively minor this time) -- we can't wait too long to fix that. |
if it was me I'd never release mageOS with GPL code in it for the mirror, yeah I guess upstream messed it up and a mirror has to mirror so...
tiny6 CVE gets fixed with this simple change, that's all, more on this here |
Not sure if useful to the discussion here, but Nathan (head of security in Adobe for Magento) told me about 10 days ago in private that the reason they updated TinyMCE was for CVE-2024-38357. |
@hostep ok thanks, I thought it was the other CVE, anyway I see that the one you linked is marked as solved in tiny6.8.5 which is the one I'm adding to this PR through rhoerr#2 |
anyway, legally, updating to v7 is not viable since the license change. maybe adobe can afford to pay a commercial license to distribute tiny7 but IMHO this should be avoided at all costs in mageOS. it is simply not possible to include GPL software in a OSL one. |
Replaced TinyMCE7 with TinyMCE6
The change to TinyMCE 6 is merged (thanks Fabrizio!). Once this PR is merged, I have an additional branch to PR with toolbar improvements compared to upstream: rhoerr@dba4520 |
@rhoerr if we don't get other reviews soon, I'll merge in the next couple of days max |
Description (*)
This PR pulls the changes from 2.4.7-p3 vs 2.4.7-p2 onto
release/1.x
. This brings it in line with 2.4.7-p3 for our next release.I sourced the change list from magento/magento2@2.4.7-p2...2.4.7-p3 with all composer.json changes removed.