Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
On 2020-04-26 10:46:41, Antoine Beaupré wrote: [...] > I will also mention that this has landed in buster ages ago, and no ill > effects were found there. I meant bullseye here, sorry. Any news? :) a. -- Striving for social justice is the most valuable thing to do in life - Albert Einstein
Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
On 2020-04-26 15:45:02, Julien Cristau wrote: > On Fri, Feb 07, 2020 at 05:21:21PM -0500, Antoine Beaupré wrote: >> [sorry for the dupe, hit send by mistake :(] >> >> On 2019-11-24 12:13:20, Antoine Beaupré wrote: >> > On 2019-11-23 18:34:25, Julien Cristau wrote: >> >> I'm a bit uneasy about a blanket "include all", to be honest. It's >> >> probably harmless since it's all coming straight out of debootstrap, but >> >> I'd have been happier with something like "include security.*" if that's >> >> what we expect to see. >> > >> > What kind of problems would you expect with including too many ACLs? >> >> I'm still curious to hear what kind of problems you expect here. I've >> been running this patch in production for months now and would really >> like to see this land in buster (and hopefully stretch next). >> > I don't know, that's kind of the point. For changes in stable I tend to > err on the side of "if there's no demonstrated need for a change then it > shouldn't be done". Things like "because why not" tend to be red flags. I don't know what to say here. I'm not familiar with the security.* flag you are refering to, and I do not know whether it will fix my bug. I also do not know if there are other similar bugs lurking that we just haven't found yet, exactly about this. It seems to me we should have the most faithful archive and recovery when we do a snapshot. This is what this patch does. You bring up the concern of "include all" yet you also explicitely say that it's "probably harmless". So I'm truly confused as to why we're still blocking on this. I understand we want to be conservative in stable, but this is not like I'm introducing a 1000-line long patch here. I would argue that restricting the number of extended attributes is *more* likely to create bugs than the opposite. I will also mention that this has landed in buster ages ago, and no ill effects were found there. A. -- Use for yourself little but give to others much. - Albert Einstein
Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
On Fri, Feb 07, 2020 at 05:21:21PM -0500, Antoine Beaupré wrote: > [sorry for the dupe, hit send by mistake :(] > > On 2019-11-24 12:13:20, Antoine Beaupré wrote: > > On 2019-11-23 18:34:25, Julien Cristau wrote: > >> I'm a bit uneasy about a blanket "include all", to be honest. It's > >> probably harmless since it's all coming straight out of debootstrap, but > >> I'd have been happier with something like "include security.*" if that's > >> what we expect to see. > > > > What kind of problems would you expect with including too many ACLs? > > I'm still curious to hear what kind of problems you expect here. I've > been running this patch in production for months now and would really > like to see this land in buster (and hopefully stretch next). > I don't know, that's kind of the point. For changes in stable I tend to err on the side of "if there's no demonstrated need for a change then it shouldn't be done". Things like "because why not" tend to be red flags. Cheers, Julien
Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
On 2019-11-24 12:13:20, Antoine Beaupré wrote: > On 2019-11-23 18:34:25, Julien Cristau wrote: >> On Mon, Nov 11, 2019 at 10:40:58AM -0500, Antoine Beaupre wrote: >>> diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog >>> ganeti-instance-debootstrap-0.16/debian/changelog >>> --- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20 >>> 06:57:18.0 -0400 >>> +++ ganeti-instance-debootstrap-0.16/debian/changelog 2019-11-01 >>> 19:01:50.0 -0400 >>> @@ -1,3 +1,10 @@ >>> +ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium >> >> Version number and distribution don't look right. > > Ah yes, that would be 0.16-6+deb10u1, right? > [...] Attached a new debdiff with a better version number. >> I'm a bit uneasy about a blanket "include all", to be honest. It's >> probably harmless since it's all coming straight out of debootstrap, but >> I'd have been happier with something like "include security.*" if that's >> what we expect to see. > > What kind of problems would you expect with including too many ACLs? > > A. > > -- > Qui vit sans folie n'est pas si sage qu'il croit. > - François de La Rochefoucauld -- Information is not knowledge. Knowledge is not wisdom. Wisdom is not truth. Truth is not beauty. Beauty is not love. Love is not music. Music is the best. - Frank Zappa
Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
[sorry for the dupe, hit send by mistake :(] On 2019-11-24 12:13:20, Antoine Beaupré wrote: > On 2019-11-23 18:34:25, Julien Cristau wrote: >> On Mon, Nov 11, 2019 at 10:40:58AM -0500, Antoine Beaupre wrote: >>> diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog >>> ganeti-instance-debootstrap-0.16/debian/changelog >>> --- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20 >>> 06:57:18.0 -0400 >>> +++ ganeti-instance-debootstrap-0.16/debian/changelog 2019-11-01 >>> 19:01:50.0 -0400 >>> @@ -1,3 +1,10 @@ >>> +ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium >> >> Version number and distribution don't look right. > > Ah yes, that would be 0.16-6+deb10u1, right? Attached a better debdiff with the right version number. I'm now part of the ganeti team so this is actually a team upload now, and the patch has been merged in the salsa repo. [...] >> >> I'm a bit uneasy about a blanket "include all", to be honest. It's >> probably harmless since it's all coming straight out of debootstrap, but >> I'd have been happier with something like "include security.*" if that's >> what we expect to see. > > What kind of problems would you expect with including too many ACLs? I'm still curious to hear what kind of problems you expect here. I've been running this patch in production for months now and would really like to see this land in buster (and hopefully stretch next). Can I upload the package now? Thanks! -- Men are taught to apologize for their weaknesses, women for their strengths. - Lois Wyse diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog ganeti-instance-debootstrap-0.16/debian/changelog --- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20 06:57:18.0 -0400 +++ ganeti-instance-debootstrap-0.16/debian/changelog 2020-02-07 17:11:06.0 -0500 @@ -1,3 +1,10 @@ +ganeti-instance-debootstrap (0.16-6+deb10u1) buster; urgency=medium + + * Team upload. + * add patch to respect linux caps (Closes: #942114) + + -- Antoine Beaupré Fri, 07 Feb 2020 17:11:06 -0500 + ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium * Bump Standards-Version to 4.1.4; no changes needed diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch --- ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch 1969-12-31 19:00:00.0 -0500 +++ ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch 2020-02-07 17:11:06.0 -0500 @@ -0,0 +1,48 @@ +From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= +Date: Thu, 10 Oct 2019 11:07:51 -0400 +Subject: [PATCH] respect Linux capabilities(7) in cache + +The default GNU tar configuration does not carry fancy extended +attributes and that is where, among other things, stuff like Linux +capabilities(7) are stored. This is kind of important because that's +how ping(8) works for regular users. + +We shove --selinux and --acls in there while we're at it, because why +not. We never know what the future might bring, and it seems +silly *not* to create a complete archive. + +Note that --xattrs-include='*' is important because, by default, GNU +tar will not include capabilities /even/ if --xattrs is specified on +the commandline, see this bug report for details: + +https://bugzilla.redhat.com/show_bug.cgi?id=771927 +--- + create | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/create b/create +index 607bab2..7526e71 100755 +--- a/create b/create +@@ -83,7 +83,7 @@ if [ "$CLEAN_CACHE" -a -d "$CACHE_DIR" ]; then + fi + + if [ -f "$CACHE_FILE" ]; then +- tar xf "$CACHE_FILE" -C $TMPDIR ++ tar --acls --selinux --xattrs --xattrs-include='*' -x -f "$CACHE_FILE" -C $TMPDIR + else + if [ "$PROXY" ]; then + export http_proxy="$PROXY" +@@ -109,7 +109,7 @@ else + + if [ "$GENERATE_CACHE" = "yes" ]; then + TMP_CACHE=`mktemp "${CACHE_FILE}.XX"` +-tar cf "$TMP_CACHE" -C $TMPDIR . ++tar --acls --selinux --xattrs --xattrs-include='*' -c -f "$TMP_CACHE" -C $TMPDIR . + mv -f "$TMP_CACHE" "$CACHE_FILE" + fi + fi +-- +2.20.1 + diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/series ganeti-instance-debootstrap-0.16/debian/patches/series --- ganeti-instance-debootstrap-0.16/debian/patches/series 2018-06-20 06:57:18.0 -0400 +++ ganeti-instance-debootstrap-0.16/debian/patches/series 2020-02-07 17:11:06.0 -0500 @@ -1 +1,2 @@ +respect-Linux-capabilities-7-in-cache.patch fix-sfdisk-BLKRRPART.patch
Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
On 2019-11-23 18:34:25, Julien Cristau wrote: > On Mon, Nov 11, 2019 at 10:40:58AM -0500, Antoine Beaupre wrote: >> diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog >> ganeti-instance-debootstrap-0.16/debian/changelog >> --- ganeti-instance-debootstrap-0.16/debian/changelog2018-06-20 >> 06:57:18.0 -0400 >> +++ ganeti-instance-debootstrap-0.16/debian/changelog2019-11-01 >> 19:01:50.0 -0400 >> @@ -1,3 +1,10 @@ >> +ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium > > Version number and distribution don't look right. Ah yes, that would be 0.16-6+deb10u1, right? >> + >> + * Non-maintainer upload >> + * add patch to respect linux caps (Closes: #942114) >> + >> + -- Antoine Beaupré Fri, 01 Nov 2019 19:01:50 -0400 >> + >> ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium >> >>* Bump Standards-Version to 4.1.4; no changes needed >> diff -Nru >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> --- >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> 1969-12-31 19:00:00.0 -0500 >> +++ >> ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >> 2019-11-01 19:01:50.0 -0400 >> @@ -0,0 +1,48 @@ >> +From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001 >> +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= >> +Date: Thu, 10 Oct 2019 11:07:51 -0400 >> +Subject: [PATCH] respect Linux capabilities(7) in cache >> + >> +The default GNU tar configuration does not carry fancy extended >> +attributes and that is where, among other things, stuff like Linux >> +capabilities(7) are stored. This is kind of important because that's >> +how ping(8) works for regular users. >> + >> +We shove --selinux and --acls in there while we're at it, because why >> +not. We never know what the future might bring, and it seems >> +silly *not* to create a complete archive. >> + >> +Note that --xattrs-include='*' is important because, by default, GNU >> +tar will not include capabilities /even/ if --xattrs is specified on >> +the commandline, see this bug report for details: >> + > > I'm a bit uneasy about a blanket "include all", to be honest. It's > probably harmless since it's all coming straight out of debootstrap, but > I'd have been happier with something like "include security.*" if that's > what we expect to see. What kind of problems would you expect with including too many ACLs? A. -- Qui vit sans folie n'est pas si sage qu'il croit. - François de La Rochefoucauld
Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
On Mon, Nov 11, 2019 at 10:40:58AM -0500, Antoine Beaupre wrote: > diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog > ganeti-instance-debootstrap-0.16/debian/changelog > --- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20 > 06:57:18.0 -0400 > +++ ganeti-instance-debootstrap-0.16/debian/changelog 2019-11-01 > 19:01:50.0 -0400 > @@ -1,3 +1,10 @@ > +ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium Version number and distribution don't look right. > + > + * Non-maintainer upload > + * add patch to respect linux caps (Closes: #942114) > + > + -- Antoine Beaupré Fri, 01 Nov 2019 19:01:50 -0400 > + > ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium > >* Bump Standards-Version to 4.1.4; no changes needed > diff -Nru > ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch > > ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch > --- > ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >1969-12-31 19:00:00.0 -0500 > +++ > ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch >2019-11-01 19:01:50.0 -0400 > @@ -0,0 +1,48 @@ > +From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001 > +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= > +Date: Thu, 10 Oct 2019 11:07:51 -0400 > +Subject: [PATCH] respect Linux capabilities(7) in cache > + > +The default GNU tar configuration does not carry fancy extended > +attributes and that is where, among other things, stuff like Linux > +capabilities(7) are stored. This is kind of important because that's > +how ping(8) works for regular users. > + > +We shove --selinux and --acls in there while we're at it, because why > +not. We never know what the future might bring, and it seems > +silly *not* to create a complete archive. > + > +Note that --xattrs-include='*' is important because, by default, GNU > +tar will not include capabilities /even/ if --xattrs is specified on > +the commandline, see this bug report for details: > + I'm a bit uneasy about a blanket "include all", to be honest. It's probably harmless since it's all coming straight out of debootstrap, but I'd have been happier with something like "include security.*" if that's what we expect to see. Cheers, Julien
Bug#944538: buster-pu: package ganeti-instance-debootstrap/0.16-6.1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu ganeti-instance-debootstrap (GID) has a RC bug (grave) affecting buster (#942114). I uploaded a minimal package to unstable to fix this problem which has now trickled down into testing and that I think would be important to include in the next point release. The attached patch describes the current diff between stable and testing. All it does is include a patch that changes the `tar` call to store more information in the cache file so that "special" properties (like capabilities) are properly stored across installs. We've been running this patch in production for a few weeks at tor without any problems. A. -- System Information: Debian Release: 10.1 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru ganeti-instance-debootstrap-0.16/debian/changelog ganeti-instance-debootstrap-0.16/debian/changelog --- ganeti-instance-debootstrap-0.16/debian/changelog 2018-06-20 06:57:18.0 -0400 +++ ganeti-instance-debootstrap-0.16/debian/changelog 2019-11-01 19:01:50.0 -0400 @@ -1,3 +1,10 @@ +ganeti-instance-debootstrap (0.16-6.1) unstable; urgency=medium + + * Non-maintainer upload + * add patch to respect linux caps (Closes: #942114) + + -- Antoine Beaupré Fri, 01 Nov 2019 19:01:50 -0400 + ganeti-instance-debootstrap (0.16-6) unstable; urgency=medium * Bump Standards-Version to 4.1.4; no changes needed diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch --- ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch 1969-12-31 19:00:00.0 -0500 +++ ganeti-instance-debootstrap-0.16/debian/patches/respect-Linux-capabilities-7-in-cache.patch 2019-11-01 19:01:50.0 -0400 @@ -0,0 +1,48 @@ +From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= +Date: Thu, 10 Oct 2019 11:07:51 -0400 +Subject: [PATCH] respect Linux capabilities(7) in cache + +The default GNU tar configuration does not carry fancy extended +attributes and that is where, among other things, stuff like Linux +capabilities(7) are stored. This is kind of important because that's +how ping(8) works for regular users. + +We shove --selinux and --acls in there while we're at it, because why +not. We never know what the future might bring, and it seems +silly *not* to create a complete archive. + +Note that --xattrs-include='*' is important because, by default, GNU +tar will not include capabilities /even/ if --xattrs is specified on +the commandline, see this bug report for details: + +https://bugzilla.redhat.com/show_bug.cgi?id=771927 +--- + create | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/create b/create +index 607bab2..7526e71 100755 +--- a/create b/create +@@ -83,7 +83,7 @@ if [ "$CLEAN_CACHE" -a -d "$CACHE_DIR" ]; then + fi + + if [ -f "$CACHE_FILE" ]; then +- tar xf "$CACHE_FILE" -C $TMPDIR ++ tar --acls --selinux --xattrs --xattrs-include='*' -x -f "$CACHE_FILE" -C $TMPDIR + else + if [ "$PROXY" ]; then + export http_proxy="$PROXY" +@@ -109,7 +109,7 @@ else + + if [ "$GENERATE_CACHE" = "yes" ]; then + TMP_CACHE=`mktemp "${CACHE_FILE}.XX"` +-tar cf "$TMP_CACHE" -C $TMPDIR . ++tar --acls --selinux --xattrs --xattrs-include='*' -c -f "$TMP_CACHE" -C $TMPDIR . + mv -f "$TMP_CACHE" "$CACHE_FILE" + fi + fi +-- +2.20.1 + diff -Nru ganeti-instance-debootstrap-0.16/debian/patches/series ganeti-instance-debootstrap-0.16/debian/patches/series --- ganeti-instance-debootstrap-0.16/debian/patches/series 2018-06-20 06:57:18.0 -0400 +++ ganeti-instance-debootstrap-0.16/debian/patches/series 2019-11-01 19:01:50.0 -0400 @@ -1 +1,2 @@ +respect-Linux-capabilities-7-in-cache.patch fix-sfdisk-BLKRRPART.patch