Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Control: tag -1 confirmed On Sat, Dec 02, 2023 at 06:47:42PM -0500, Antoine Beaupré wrote: > diff -Nru needrestart-3.6/debian/changelog needrestart-3.6/debian/changelog > --- needrestart-3.6/debian/changelog 2023-05-31 10:47:03.0 -0400 > +++ needrestart-3.6/debian/changelog 2023-11-15 15:05:37.0 -0500 > @@ -1,3 +1,9 @@ > +needrestart (3.6-4+deb12u1) bookworm; urgency=medium > + > + * fix microcode check regression on AMD CPUs (Closes: #1013285) > + > + -- Antoine Beaupré Wed, 15 Nov 2023 15:05:37 -0500 > + Please go ahead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
thanks for taking care! Am 21.11.2023 um 17:35 schrieb Antoine Beaupre: Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: needrest...@packages.debian.org, pmatth...@debian.org Control: affects -1 + src:needrestart [ Reason ] needrestart, starting with bookworm, supports more microcode checks than before. In particular, it now checks AMD CPUs. The amd64-microcode package seem to ship *less* firmware files than its Intel counterpart, which leads to *many* machines (half a dozen) in our fleet to suddenly start warning us about "UNKNOWN" firmware status. [ Impact ] Spurious warnings lead to alert fatigue and consequently untimely security upgrades, which is the main reason why I'm considering this serious enough to warrant a stable update. [ Tests ] The provided patches were tested in production on a fleet (~50 machines) of Debian bookworm servers on torproject.org. [ Risks ] Code is relatively simple. There's a risk that operators who did *not* install the amd64-microcode package will not get a warning, but that's consider an operator error, and out of scope for this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [~] the issue is verified as fixed in unstable [ Changes ] There are three patches here: 1. 05-fix-AMD-ucode-checking-in-non-debug-mode.patch - fixes a bug where AMD microcode checks would fail unless -v is passed 2. 06-uCode-fix-uninitialized-value-in-logging-of-processo.patch - fix uninitialized variable error, required for the other patches to work 3. 07-mark-unavailable-firmware-as-CURRENT.patch - do not mark unavailable firmware as "UNKNOWN" The first and second patches have shipped into unstable with the -6 release, the last patch is pending. [ Other info ] anarcat@angela:dist$ debdiff needrestart_3.6-4.dsc needrestart_3.6-4+deb12u1.dsc| diffstat dpkg-source: warning: extracting unsigned source package (/home/anarcat/dist/needrestart_3.6-4+deb12u1.dsc) changelog |6 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch | 33 + patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch | 30 patches/07-mark-unavailable-firmware-as-CURRENT.patch | 61 ++ patches/series|3 5 files changed, 133 insertions(+) We might also want to consider updating to the unstable version directly, as the patch is relatively similar, in fact it's currently *smaller* because it's lacking the third patch here: anarcat@angela:dist[1]$ debdiff needrestart_3.6-4.dsc needrestart_3.6-6.dsc | diffstat NEWS |8 -- changelog| 26 +++ control |1 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.diff | 33 ++ patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.diff | 30 + patches/series |2 6 files changed, 91 insertions(+), 9 deletions(-)
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Control: tags -1 - moreinfo
On 2023-12-02 18:52:39, Adam D. Barratt wrote:
> There doesn't appear to be a debdiff attached.
What is wrong with me.
diff -Nru needrestart-3.6/debian/changelog needrestart-3.6/debian/changelog
--- needrestart-3.6/debian/changelog 2023-05-31 10:47:03.0 -0400
+++ needrestart-3.6/debian/changelog 2023-11-15 15:05:37.0 -0500
@@ -1,3 +1,9 @@
+needrestart (3.6-4+deb12u1) bookworm; urgency=medium
+
+ * fix microcode check regression on AMD CPUs (Closes: #1013285)
+
+ -- Antoine Beaupré Wed, 15 Nov 2023 15:05:37 -0500
+
needrestart (3.6-4) unstable; urgency=medium
* Remove leftover conffile 30-pacman with 3.6-4.
diff -Nru needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch
--- needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch 1969-12-31 19:00:00.0 -0500
+++ needrestart-3.6/debian/patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch 2023-11-15 15:05:37.0 -0500
@@ -0,0 +1,33 @@
+From b073fb6d9969597173daa8c511a85bae9b03ed37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?=
+Date: Wed, 15 Nov 2023 15:20:37 -0500
+Subject: [PATCH] fix AMD ucode checking in non-debug mode
+
+It looks like the assignment when the ucode exist was not
+done *unless* `debug` (`-v`) was set. Therefore, all AMD microcode
+checks were returning UNKNOWN, including in Nagios checks, unless the
+`-v` ("verbose", but actually `debug`) was passed.
+
+Closes: #249
+---
+ perl/lib/NeedRestart/uCode/AMD.pm | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/perl/lib/NeedRestart/uCode/AMD.pm b/perl/lib/NeedRestart/uCode/AMD.pm
+index 638e68d..6daad8f 100644
+--- a/perl/lib/NeedRestart/uCode/AMD.pm
b/perl/lib/NeedRestart/uCode/AMD.pm
+@@ -185,8 +185,8 @@ sub nr_ucode_check_real {
+ if ( exists( $_ucodes->{cpuid}->{$cpuid} ) ) {
+ my $prid = $_ucodes->{cpuid}->{$cpuid};
+ if ( exists( $_ucodes->{prid}->{$prid} ) ) {
+-$vars{AVAIL} = sprintf( "0x%08x", $_ucodes->{prid}->{$prid} ),
+- print STDERR "$LOGPREF #$info->{processor} found ucode $vars{AVAIL}\n" if ($debug);
++$vars{AVAIL} = sprintf( "0x%08x", $_ucodes->{prid}->{$prid} );
++print STDERR "$LOGPREF #$info->{processor} found ucode $vars{AVAIL}\n" if ($debug);
+ }
+ }
+
+--
+2.39.2
+
diff -Nru needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch
--- needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch 1969-12-31 19:00:00.0 -0500
+++ needrestart-3.6/debian/patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch 2023-11-15 15:05:37.0 -0500
@@ -0,0 +1,30 @@
+From e85bfe33b595b88cc8052a7815d13612ecc2a841 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20B=C3=BChler?=
+Date: Sun, 28 May 2023 17:42:28 +0200
+Subject: [PATCH] [uCode] fix uninitialized value in logging of processor index
+
+This got broken in f8c2609f8d5a0e10bd988497b8ea9815a7bb2fa8.
+
+Before that it would have effectively logged
+`$processors{$pid}->{processor}`, but the `processor` entry
+is also the key in `%processors`, i.e. equals `$pid`.
+---
+ perl/lib/NeedRestart/uCode.pm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/perl/lib/NeedRestart/uCode.pm b/perl/lib/NeedRestart/uCode.pm
+index 6251339..db81375 100644
+--- a/perl/lib/NeedRestart/uCode.pm
b/perl/lib/NeedRestart/uCode.pm
+@@ -148,7 +148,7 @@ sub nr_ucode_check {
+ }
+ $ui->progress_step;
+
+-my $nstate = compare_ucode_versions( $debug, $processors{processor}, @nvars );
++my $nstate = compare_ucode_versions( $debug, $pid, @nvars );
+ if ( $nstate > $state ) {
+ ( $state, @vars ) = ( $nstate, @nvars );
+ }
+--
+2.39.2
+
diff -Nru needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch
--- needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch 1969-12-31 19:00:00.0 -0500
+++ needrestart-3.6/debian/patches/07-mark-unavailable-firmware-as-CURRENT.patch 2023-11-15 15:05:37.0 -0500
@@ -0,0 +1,61 @@
+From 0e1ffe8025416a918ddf169f2d858762733d7238 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?=
+Date: Tue, 21 Nov 2023 10:59:32 -0500
+Subject: [PATCH] mark unavailable firmware as CURRENT
+
+This changes the policy of reporting missing firmware updates as
+"UNKNOWN". Now, if there's no available firmware, we report
+"current". That fixes needrestart on platforms that do not have
+firmware support (#220) or platforms that *are* supported but for
+which a CPU is to new to have an updated
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Control: tags -1 + moreinfo On Tue, 2023-11-21 at 11:35 -0500, Antoine Beaupre wrote: > needrestart, starting with bookworm, supports more microcode checks > than before. In particular, it now checks AMD CPUs. > > The amd64-microcode package seem to ship *less* firmware files than > its Intel counterpart, which leads to *many* machines (half a dozen) > in our fleet to suddenly start warning us about "UNKNOWN" firmware > status. > [...] > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in (old)stable There doesn't appear to be a debdiff attached. Regards, Adam
Bug#1056358: bookworm-pu: package needrestart/3.6-4+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: needrest...@packages.debian.org, pmatth...@debian.org Control: affects -1 + src:needrestart [ Reason ] needrestart, starting with bookworm, supports more microcode checks than before. In particular, it now checks AMD CPUs. The amd64-microcode package seem to ship *less* firmware files than its Intel counterpart, which leads to *many* machines (half a dozen) in our fleet to suddenly start warning us about "UNKNOWN" firmware status. [ Impact ] Spurious warnings lead to alert fatigue and consequently untimely security upgrades, which is the main reason why I'm considering this serious enough to warrant a stable update. [ Tests ] The provided patches were tested in production on a fleet (~50 machines) of Debian bookworm servers on torproject.org. [ Risks ] Code is relatively simple. There's a risk that operators who did *not* install the amd64-microcode package will not get a warning, but that's consider an operator error, and out of scope for this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [~] the issue is verified as fixed in unstable [ Changes ] There are three patches here: 1. 05-fix-AMD-ucode-checking-in-non-debug-mode.patch - fixes a bug where AMD microcode checks would fail unless -v is passed 2. 06-uCode-fix-uninitialized-value-in-logging-of-processo.patch - fix uninitialized variable error, required for the other patches to work 3. 07-mark-unavailable-firmware-as-CURRENT.patch - do not mark unavailable firmware as "UNKNOWN" The first and second patches have shipped into unstable with the -6 release, the last patch is pending. [ Other info ] anarcat@angela:dist$ debdiff needrestart_3.6-4.dsc needrestart_3.6-4+deb12u1.dsc| diffstat dpkg-source: warning: extracting unsigned source package (/home/anarcat/dist/needrestart_3.6-4+deb12u1.dsc) changelog |6 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch | 33 + patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch | 30 patches/07-mark-unavailable-firmware-as-CURRENT.patch | 61 ++ patches/series|3 5 files changed, 133 insertions(+) We might also want to consider updating to the unstable version directly, as the patch is relatively similar, in fact it's currently *smaller* because it's lacking the third patch here: anarcat@angela:dist[1]$ debdiff needrestart_3.6-4.dsc needrestart_3.6-6.dsc | diffstat NEWS |8 -- changelog| 26 +++ control |1 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.diff | 33 ++ patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.diff | 30 + patches/series |2 6 files changed, 91 insertions(+), 9 deletions(-)
