[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 03 Sep 2024 18:30:38 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #67 from Franco Fichtner <franco@opnsense.org> ---
There are some open release engineering questions in this thread, lack of
professionalism discarding a problem that was later fixed without comment
aside. Doing the least bit of rectifying the previous behaviour would be a good
start to a useful discussion on the subject.

The first and foremost question is how this was tested and verified? Was the
researcher involved in all steps?  The commits don't have a "Reviewed by" or
"Tested by" either.  Is this normal now?

Does release engineering not assess the risk of spreading an SA fix over 4
commits with about 500 LOC changed introducing new features while at it? That
then grew to 6 commits, with 10 commits at the moment. It's a classic scope
creep that should be avoided on releases at all cost. The test coverage wasn't
there to make an educated choice either.

Why is the fake id portion of the original OpenBSD patch omitted?

At least https://github.com/openbsd/src/commit/49f39043a02d is still missing.
Can anyone comment on why one would think that we should try to get away with
the least bit of commits here when we can clearly see all the related problems
were seen and handled in OpenBSD in the meantime?

Why does nobody ask the reporters here to test this again? Why are the insights
given by reporters brushed off?

You can clearly see where the problem started given that nobody cares answering
these questions.

TLDR: SO should do this again, please, but RE shouldn't.


Cheers,
Franco

-- 
You are receiving this mail because:
You are the assignee for the bug.