Improve contrib descriptions

1 files changed, 38 insertions, 9 deletions

diff --git a/imworkingon/contribs.yml b/imworkingon/contribs.yml
index 31cd33e..003c6dc 100644
--- a/imworkingon/contribs.yml
+++ b/imworkingon/contribs.yml
@@ -10,6 +10,7 @@
     friction for Ruby users on GNU/Linux distros that care about those
     3 things.
 - urls: [https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/merge_requests/328]
+  id: mkinitcpio-arm-zimage
   tags: [ARM, boot]
   sponsored-by: Umorpha Systems
   desc: |
@@ -22,6 +23,8 @@
 
     This PR removes that friction by teaching mkinitcpio to understand
     ARM zImage files.
+
+    See also: [mkinitcpio#362](#contrib-mkinitcpio-arm-zimage-tests)
 - urls: [https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/merge_requests/277]
   tags: [boot]
   sponsored-by: Umorpha Systems
@@ -85,13 +88,15 @@
     This PR makes it easier to contribute to gotk4 by improving
     developer documentation and automated checks.
 - urls: [https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/merge_requests/362]
+  id: mkinitcpio-arm-zimage-tests
   tags: [ARM, boot, testing]
   desc: |
-    This PR adds tests for the earlier ARM zImage work.  This was
-    split off into a separate PR from the main ARM zImage PR because
-    the maintainers had concerns about merging binary test files (very
-    understandable, especially given the recent XZ issue!), but didn't
-    want to hold up the main work.
+    This PR adds tests for the [earlier ARM zImage
+    work](#contrib-mkinitcpio-arm-zimage).  This was split off into a
+    separate PR from the main ARM zImage PR because the maintainers
+    had concerns about merging binary test files (very understandable,
+    especially given the recent XZ issue!), but didn't want to hold up
+    the main work.
 - urls:
     - https://github.com/golang/net/pull/208
     - https://go-review.googlesource.com/c/net/+/580855
@@ -132,17 +137,41 @@
     Parabola, hopefully Artix) to provide init-freedom and support
     other init systems.
 - urls: [https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/5586382]
+  id: vboot-32
   tags: [boot]
   desc: |
-    TODO
+    This fixes a bug in the code that both (1) may allow a
+    specially-crafted partition to bypass a bounds check, and (2)
+    makes it so that the code does not compile when `sizeof(size_t)=4`
+    (that is: x86-32).
+
+    See also: [libreboot#218](#contrib-libreboot-32)
 - urls: [https://codeberg.org/libreboot/lbmk/pulls/218]
+  id: libreboot-32
   tags: [boot]
   desc: |
-    TODO
+    This has the Libreboot build-system apply the [fix I submitted to
+    vboot](#contrib-vboot-32), so that Libreboot can be compiled on
+    x86-32.  Libreboot does not use the affected vboot functionality,
+    but the bug was preventing things from compiling.
 - urls:
    - https://sourceware.org/pipermail/binutils/2024-June/134608.html
    - https://sourceware.org/pipermail/gdb-patches/2024-June/209720.html
-  tags: [GNU]
+  tags: [GNU, supply-chain-security]
   status: open
   desc: |
-    TODO
+    The binutils-gdb sources bundle a number of files from other
+    sources (including the autotools, libtools, readline, texinfo,
+    gnulib, zlib, and GDB).  I audited the binutils-gdb sources to
+    pin-point exactly which versions were being bundled and what
+    patches were being applied, then wrote a `./bootstrap` script to
+    automate that bundling.
+
+    As the recent XZ issue taught us, this kind of audit is an
+    important part of supply-chain security.  The `./bootstrap` script
+    will greatly ease this type of audit in the future, and can even
+    enable enforcing up-to-date-ness of the audit in CI.
+
+    Also, hopefully this will make it easier to keep binutils' and
+    GDB's bundled dependencies more up-to-date in the future; as many
+    are quite out-of-date right now.