Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Control: tag -1 confirmed On Sat, Dec 02, 2023 at 06:47:42PM -0500, Antoine Beaupré wrote: > diff -Nru needrestart-3.6/debian/changelog needrestart-3.6/debian/changelog > --- needrestart-3.6/debian/changelog 2023-05-31 10:47:03.0 -0400 > +++ needrestart-3.6/debian/changelog 2023-11-15 15:05:37.0 -0500 > @@ -1,3 +1,9 @@ > +needrestart (3.6-4+deb12u1) bookworm; urgency=medium > + > + * fix microcode check regression on AMD CPUs (Closes: #1013285) > + > + -- Antoine Beaupré Wed, 15 Nov 2023 15:05:37 -0500 > + Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
thanks for taking care! Am 21.11.2023 um 17:35 schrieb Antoine Beaupre: Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: needrest...@packages.debian.org, pmatth...@debian.org Control: affects -1 + src:needrestart [ Reason ] needrestart, starting with bookworm, supports more microcode checks than before. In particular, it now checks AMD CPUs. The amd64-microcode package seem to ship *less* firmware files than its Intel counterpart, which leads to *many* machines (half a dozen) in our fleet to suddenly start warning us about "UNKNOWN" firmware status. [ Impact ] Spurious warnings lead to alert fatigue and consequently untimely security upgrades, which is the main reason why I'm considering this serious enough to warrant a stable update. [ Tests ] The provided patches were tested in production on a fleet (~50 machines) of Debian bookworm servers on torproject.org. [ Risks ] Code is relatively simple. There's a risk that operators who did *not* install the amd64-microcode package will not get a warning, but that's consider an operator error, and out of scope for this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [~] the issue is verified as fixed in unstable [ Changes ] There are three patches here: 1. 05-fix-AMD-ucode-checking-in-non-debug-mode.patch - fixes a bug where AMD microcode checks would fail unless -v is passed 2. 06-uCode-fix-uninitialized-value-in-logging-of-processo.patch - fix uninitialized variable error, required for the other patches to work 3. 07-mark-unavailable-firmware-as-CURRENT.patch - do not mark unavailable firmware as "UNKNOWN" The first and second patches have shipped into unstable with the -6 release, the last patch is pending. [ Other info ] anarcat@angela:dist$ debdiff needrestart_3.6-4.dsc needrestart_3.6-4+deb12u1.dsc| diffstat dpkg-source: warning: extracting unsigned source package (/home/anarcat/dist/needrestart_3.6-4+deb12u1.dsc) changelog |6 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch | 33 + patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch | 30 patches/07-mark-unavailable-firmware-as-CURRENT.patch | 61 ++ patches/series|3 5 files changed, 133 insertions(+) We might also want to consider updating to the unstable version directly, as the patch is relatively similar, in fact it's currently *smaller* because it's lacking the third patch here: anarcat@angela:dist[1]$ debdiff needrestart_3.6-4.dsc needrestart_3.6-6.dsc | diffstat NEWS |8 -- changelog| 26 +++ control |1 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.diff | 33 ++ patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.diff | 30 + patches/series |2 6 files changed, 91 insertions(+), 9 deletions(-)
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Control: tags -1 - moreinfo On 2023-12-02 18:52:39, Adam D. Barratt wrote: > There doesn't appear to be a debdiff attached. What is wrong with me. diff -Nru needrestart-3.6/debian/changelog needrestart-3.6/debian/changelog --- needrestart-3.6/debian/changelog 2023-05-31 10:47:03.0 -0400 +++ needrestart-3.6/debian/changelog 2023-11-15 15:05:37.0 -0500 @@ -1,3 +1,9 @@ +needrestart (3.6-4+deb12u1) bookworm; urgency=medium + + * fix microcode check regression on AMD CPUs (Closes: #1013285) + + -- Antoine Beaupré Wed, 15 Nov 2023 15:05:37 -0500 + needrestart (3.6-4) unstable; urgency=medium * Remove leftover conffile 30-pacman with 3.6-4. diff -Nru needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch --- needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch 1969-12-31 19:00:00.0 -0500 +++ needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch 2023-11-15 15:05:37.0 -0500 @@ -0,0 +1,33 @@ +From b073fb6d9969597173daa8c511a85bae9b03ed37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= +Date: Wed, 15 Nov 2023 15:20:37 -0500 +Subject: [PATCH] fix AMD ucode checking in non-debug mode + +It looks like the assignment when the ucode exist was not +done *unless* `debug` (`-v`) was set. Therefore, all AMD microcode +checks were returning UNKNOWN, including in Nagios checks, unless the +`-v` ("verbose", but actually `debug`) was passed. + +Closes: #249 +--- + perl/lib/NeedRestart/uCode/AMD.pm | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/perl/lib/NeedRestart/uCode/AMD.pm b/perl/lib/NeedRestart/uCode/AMD.pm +index 638e68d..6daad8f 100644 +--- a/perl/lib/NeedRestart/uCode/AMD.pm b/perl/lib/NeedRestart/uCode/AMD.pm +@@ -185,8 +185,8 @@ sub nr_ucode_check_real { + if ( exists( $_ucodes->{cpuid}->{$cpuid} ) ) { + my $prid = $_ucodes->{cpuid}->{$cpuid}; + if ( exists( $_ucodes->{prid}->{$prid} ) ) { +-$vars{AVAIL} = sprintf( "0x%08x", $_ucodes->{prid}->{$prid} ), +- print STDERR "$LOGPREF #$info->{processor} found ucode $vars{AVAIL}\n" if ($debug); ++$vars{AVAIL} = sprintf( "0x%08x", $_ucodes->{prid}->{$prid} ); ++print STDERR "$LOGPREF #$info->{processor} found ucode $vars{AVAIL}\n" if ($debug); + } + } + +-- +2.39.2 + diff -Nru needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch --- needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch 1969-12-31 19:00:00.0 -0500 +++ needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch 2023-11-15 15:05:37.0 -0500 @@ -0,0 +1,30 @@ +From e85bfe33b595b88cc8052a7815d13612ecc2a841 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20B=C3=BChler?= +Date: Sun, 28 May 2023 17:42:28 +0200 +Subject: [PATCH] [uCode] fix uninitialized value in logging of processor index + +This got broken in f8c2609f8d5a0e10bd988497b8ea9815a7bb2fa8. + +Before that it would have effectively logged +`$processors{$pid}->{processor}`, but the `processor` entry +is also the key in `%processors`, i.e. equals `$pid`. +--- + perl/lib/NeedRestart/uCode.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/perl/lib/NeedRestart/uCode.pm b/perl/lib/NeedRestart/uCode.pm +index 6251339..db81375 100644 +--- a/perl/lib/NeedRestart/uCode.pm b/perl/lib/NeedRestart/uCode.pm +@@ -148,7 +148,7 @@ sub nr_ucode_check { + } + $ui->progress_step; + +-my $nstate = compare_ucode_versions( $debug, $processors{processor}, @nvars ); ++my $nstate = compare_ucode_versions( $debug, $pid, @nvars ); + if ( $nstate > $state ) { + ( $state, @vars ) = ( $nstate, @nvars ); + } +-- +2.39.2 + diff -Nru needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch --- needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch 1969-12-31 19:00:00.0 -0500 +++ needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch 2023-11-15 15:05:37.0 -0500 @@ -0,0 +1,61 @@ +From 0e1ffe8025416a918ddf169f2d858762733d7238 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= +Date: Tue, 21 Nov 2023 10:59:32 -0500 +Subject: [PATCH] mark unavailable firmware as CURRENT + +This changes the policy of reporting missing firmware updates as +"UNKNOWN". Now, if there's no available firmware, we report +"current". That fixes needrestart on platforms that do not have +firmware support (#220) or platforms that *are* supported but for +which a CPU is to new to have an updated
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Control: tags -1 + moreinfo On Tue, 2023-11-21 at 11:35 -0500, Antoine Beaupre wrote: > needrestart, starting with bookworm, supports more microcode checks > than before. In particular, it now checks AMD CPUs. > > The amd64-microcode package seem to ship *less* firmware files than > its Intel counterpart, which leads to *many* machines (half a dozen) > in our fleet to suddenly start warning us about "UNKNOWN" firmware > status. > [...] > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable There doesn't appear to be a debdiff attached. Regards, Adam
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: needrest...@packages.debian.org, pmatth...@debian.org Control: affects -1 + src:needrestart [ Reason ] needrestart, starting with bookworm, supports more microcode checks than before. In particular, it now checks AMD CPUs. The amd64-microcode package seem to ship *less* firmware files than its Intel counterpart, which leads to *many* machines (half a dozen) in our fleet to suddenly start warning us about "UNKNOWN" firmware status. [ Impact ] Spurious warnings lead to alert fatigue and consequently untimely security upgrades, which is the main reason why I'm considering this serious enough to warrant a stable update. [ Tests ] The provided patches were tested in production on a fleet (~50 machines) of Debian bookworm servers on torproject.org. [ Risks ] Code is relatively simple. There's a risk that operators who did *not* install the amd64-microcode package will not get a warning, but that's consider an operator error, and out of scope for this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [~] the issue is verified as fixed in unstable [ Changes ] There are three patches here: 1. 05-fix-AMD-ucode-checking-in-non-debug-mode.patch - fixes a bug where AMD microcode checks would fail unless -v is passed 2. 06-uCode-fix-uninitialized-value-in-logging-of-processo.patch - fix uninitialized variable error, required for the other patches to work 3. 07-mark-unavailable-firmware-as-CURRENT.patch - do not mark unavailable firmware as "UNKNOWN" The first and second patches have shipped into unstable with the -6 release, the last patch is pending. [ Other info ] anarcat@angela:dist$ debdiff needrestart_3.6-4.dsc needrestart_3.6-4+deb12u1.dsc| diffstat dpkg-source: warning: extracting unsigned source package (/home/anarcat/dist/needrestart_3.6-4+deb12u1.dsc) changelog |6 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch | 33 + patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch | 30 patches/07-mark-unavailable-firmware-as-CURRENT.patch | 61 ++ patches/series|3 5 files changed, 133 insertions(+) We might also want to consider updating to the unstable version directly, as the patch is relatively similar, in fact it's currently *smaller* because it's lacking the third patch here: anarcat@angela:dist[1]$ debdiff needrestart_3.6-4.dsc needrestart_3.6-6.dsc | diffstat NEWS |8 -- changelog| 26 +++ control |1 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.diff | 33 ++ patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.diff | 30 + patches/series |2 6 files changed, 91 insertions(+), 9 deletions(-)