954138 – app-emulation/qemu is still pulling in a very old version of edk2 (dependency)

Bug 954138 - app-emulation/qemu is still pulling in a very old version of edk2 (dependency)

Summary: app-emulation/qemu is still pulling in a very old version of edk2 (dependency)

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Virtualization Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2025-04-21 09:12 UTC by toon
Modified:	2025-04-21 14:50 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info (emerge-info.txt,6.86 KB, text/plain) 2025-04-21 09:12 UTC, toon	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description toon 2025-04-21 09:12:46 UTC

Created attachment 925556 [details]
emerge --info

Hi,

I noticed that the qemu package is still pulling in a very ancient version of the edk2 binary package.  Is this deliberate or did it slip between the cracks?

More recent versions contains quite a few CVE-fixes, among other things...

wazoo /var/db/repos/gentoo # equery list -p sys-firmware/edk2
 * Searching for edk2 in sys-firmware ...
[-P-] [  ] sys-firmware/edk2-202202:0
[-P-] [  ] sys-firmware/edk2-202408:0
[-P-] [ ~] sys-firmware/edk2-202411:0
[-P-] [ ~] sys-firmware/edk2-202502:0
wazoo /var/db/repos/gentoo # equery list -p sys-firmware/edk2-bin
 * Searching for edk2-bin in sys-firmware ...
[IP-] [  ] sys-firmware/edk2-bin-202202:0
[-P-] [  ] sys-firmware/edk2-bin-202408:0
[-P-] [  ] sys-firmware/edk2-bin-202411:0
wazoo /var/db/repos/gentoo # grep EDK2_OVMF_VERSION= app-emulation/qemu/*.ebuild
app-emulation/qemu/qemu-7.2.15.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-7.2.16.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-7.2.17.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-8.2.10.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-8.2.7.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-8.2.9.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-9.1.2.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-9.1.3.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-9.2.2.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-9.2.3.ebuild:EDK2_OVMF_VERSION="202202"
app-emulation/qemu/qemu-9999.ebuild:EDK2_OVMF_VERSION="202202"

Comment 1 Sam James archtester

2025-04-21 09:18:27 UTC

Note that you can always do USE=-pin-upstream-blobs. That said, I don't know if anyone's checked that the upstream blobs have been updated since the last time.

Comment 2 toon 2025-04-21 10:03:27 UTC

Ah yeah, that use flag (pin-upstream-blobs) is set by default in the system profile as well as in the ebuild.

I understand the reason why (this is needed to sanely support migration/suspend/resume/snapshotting/etc), but it implies that the edk2 firmware is never updated.  This is not the standard behaviour one would expect.

There is this warning message in the ebuild however, but jeez it makes updating non-trivial.

ewarn "This might break resume of hibernated guests (started with a different"
ewarn "firmware version) and live migration to/from qemu versions with different"
ewarn "firmware. Please (cold) restart all running guests.

Okay, I'll experiment with -pin-upstream-blobs
Thanks for your advice.