Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
Hi, On 7/8/20 9:35 AM, Moritz Muehlenhoff wrote: > On Tue, Jul 07, 2020 at 10:56:18PM +0200, Hans van Kranenburg wrote: >> Additional To: t...@security.debian.org >> >> Hi Security team, >> >> After our last security update, which was >> 4.11.3+24-g14b62ab3e5-1~deb10u1, we found out that there is a bugfix to >> be done to help users upgrade from Buster to Bullseye. This fix was >> included in the unstable xen 4.11.4-1 upload (it also helps for the >> future from there) and has been in unstable for 41 days now. >> >> I have chosen to not bother you with a new security upload for 4.11.4 to >> Buster at that time (while it included security fixes) because I didn't >> want to skip going through the stable release process because of this >> packaging change. >> >> Now, we're at the verge of a new buster point release. >> >> Can you please read https://bugs.debian.org/964482 and ack that we can >> do a combination of the security updates and this packaging change for >> stable? > > Ack, we can piggyback the fix for 964482 to the buster-security update, > no problem. Ok, clear. In that case it will be a security update with the fix included. I was just trying to be more 'compliant'. :) Upstream Xen testing finished and has all the commits in stable-4.11 now. I did the upload for Debian unstable already, it's processed now. https://packages.debian.org/source/sid/xen So, I changed the changelog to buster-security, and did another build and test run here, all is looking good. https://salsa.debian.org/xen-team/debian-xen/-/commit/0da17d8b443233e521c84886c2fc913ea4ee4480 Since I'm a DM I guess I need a sponsor for the security upload. Can someone from the security team do this? I put everything here, signed and well: https://syrinx.knorrie.org/~knorrie/tmp/xen/ I have another question, which is about timing. I have been asking around a bit a few weeks ago, but did not get any response on this: For the users, who are running some Xen cluster, it's really useful to get Xen and Linux kernel changes at the same time, to reduce the amount of 'reboot stress' we're causing them. Does anyone have a brilliant idea about how to improve this? I mean, if we do this security update now, then next week the new kernel is in the point release In general, if the kernel team does a security update, or if a point release happens, it would be useful to push out a Xen update as well at the same time... I can of course write some dirty script that polls kernel team git all the time and then emails me with "hola! activity in a -security branch!"... Thanks, Hans
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
On Tue, Jul 07, 2020 at 10:56:18PM +0200, Hans van Kranenburg wrote: > Additional To: t...@security.debian.org > > Hi Security team, > > After our last security update, which was > 4.11.3+24-g14b62ab3e5-1~deb10u1, we found out that there is a bugfix to > be done to help users upgrade from Buster to Bullseye. This fix was > included in the unstable xen 4.11.4-1 upload (it also helps for the > future from there) and has been in unstable for 41 days now. > > I have chosen to not bother you with a new security upload for 4.11.4 to > Buster at that time (while it included security fixes) because I didn't > want to skip going through the stable release process because of this > packaging change. > > Now, we're at the verge of a new buster point release. > > Can you please read https://bugs.debian.org/964482 and ack that we can > do a combination of the security updates and this packaging change for > stable? Ack, we can piggyback the fix for 964482 to the buster-security update, no problem. Cheers, Moritz
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
On Tue, 2020-07-07 at 22:21 +0200, Hans van Kranenburg wrote: > On 7/7/20 9:51 PM, Adam D. Barratt wrote: > > Control: tags -1 + moreinfo > > > > On Tue, 2020-07-07 at 21:16 +0200, Hans van Kranenburg wrote: > > > I'd like to update the xen packages in buster to > > > 4.11.4+24-gddaaccbbab-1~deb10u1 for the 10.5 point release. This > > > is an update to keep following the stable-4.11 upstream Xen > > > code,which mainly contains security fixes. > > > > > > https://salsa.debian.org/xen-team/debian-xen/-/blob/10f1a4a8f15b6748459cd1c826d3808694682faf/debian/changelog > > > > In that case, please attach a source debdiff between the current > > stable package and the proposed package (built and tested on > > stable) to this request. > > I can do that. Are you sure you want to read through the upstream > changes in a way that collapses everything and removes the context of > the original git commits with any useful information about whether > it's related to an XSA, or if it's a backport of a critical bug that > crashes systems for our stable users or if it's a commit that really > needs to be included before the security fix will actually work? Well, you're welcome to provide additional information that you think would help. But there does need to at least be a debdiff that can persist in the bug report. > I'm trying to run this through the stable release process because > there's an (one) actual packaging change involved. > > If we only had upstream changes, we'd do this as a regular security > update. In that case, have you discussed this with the Security Team at all? They're often open to including small non-security changes if those are separately identified and acked from the SRM side. Regards, Adam
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
On 7/7/20 9:51 PM, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Tue, 2020-07-07 at 21:16 +0200, Hans van Kranenburg wrote: >> I'd like to update the xen packages in buster to >> 4.11.4+24-gddaaccbbab-1~deb10u1 for the 10.5 point release. This is >> an update to keep following the stable-4.11 upstream Xen code, which >> mainly contains security fixes. >> >> https://salsa.debian.org/xen-team/debian-xen/-/blob/10f1a4a8f15b6748459cd1c826d3808694682faf/debian/changelog > > In that case, please attach a source debdiff between the current stable > package and the proposed package (built and tested on stable) to this > request. I can do that. Are you sure you want to read through the upstream changes in a way that collapses everything and removes the context of the original git commits with any useful information about whether it's related to an XSA, or if it's a backport of a critical bug that crashes systems for our stable users or if it's a commit that really needs to be included before the security fix will actually work? I'm trying to run this through the stable release process because there's an (one) actual packaging change involved. If we only had upstream changes, we'd do this as a regular security update. >> I also have 4.11.4+24-gddaaccbbab-1 for unstable ready for upload >> here. >> All of it is right now waiting for the upstream testing at the Xen >> project to finish, which is regression testing the latest additions >> for todays published security advisories ( >> https://xenbits.xen.org/xsa/, >> 2020-07-07). But, I'm already sending the request. > > It's fine to send the request now, but the unstable upload needs to > happen first. That's for sure! Hans
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
Control: tags -1 + moreinfo On Tue, 2020-07-07 at 21:16 +0200, Hans van Kranenburg wrote: > I'd like to update the xen packages in buster to > 4.11.4+24-gddaaccbbab-1~deb10u1 for the 10.5 point release. This is > an update to keep following the stable-4.11 upstream Xen code, which > mainly contains security fixes. > > https://salsa.debian.org/xen-team/debian-xen/-/blob/10f1a4a8f15b6748459cd1c826d3808694682faf/debian/changelog In that case, please attach a source debdiff between the current stable package and the proposed package (built and tested on stable) to this request. > I also have 4.11.4+24-gddaaccbbab-1 for unstable ready for upload > here. > All of it is right now waiting for the upstream testing at the Xen > project to finish, which is regression testing the latest additions > for todays published security advisories ( > https://xenbits.xen.org/xsa/, > 2020-07-07). But, I'm already sending the request. It's fine to send the request now, but the unstable upload needs to happen first. Regards, Adam
Processed: Re: Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
Processing control commands: > tags -1 + moreinfo Bug #964482 [release.debian.org] buster-pu: package xen/4.11.4+24-gddaaccbbab-1~deb10u1 Added tag(s) moreinfo. -- 964482: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964482 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#964482: buster-pu: xen/4.11.4+24-gddaaccbbab-1~deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to update the xen packages in buster to 4.11.4+24-gddaaccbbab-1~deb10u1 for the 10.5 point release. This is an update to keep following the stable-4.11 upstream Xen code, which mainly contains security fixes. https://salsa.debian.org/xen-team/debian-xen/-/blob/10f1a4a8f15b6748459cd1c826d3808694682faf/debian/changelog I also have 4.11.4+24-gddaaccbbab-1 for unstable ready for upload here. All of it is right now waiting for the upstream testing at the Xen project to finish, which is regression testing the latest additions for todays published security advisories (https://xenbits.xen.org/xsa/, 2020-07-07). But, I'm already sending the request. Both unstable and Buster are on Xen 4.11. Currently buster has 4.11.3+24-g14b62ab3e5-1~deb10u1, so in the changelog you can see we'll be syncing it up with unstable again. The 4.11.4-1 package version contained an actual packaging change, that fixes a bug for upgrading to a new Xen version. This is something we want to have in Buster for our users. It means fixing upgrading from Buster to Bullseye, but also for whoever follows Debian unstable now. It's the stuff related to #932759 and these are the changes: Init scripts: https://salsa.debian.org/xen-team/debian-xen/-/commit/420d05e8b5950cb79b03a613f791cad400390bb8 NEWS: https://salsa.debian.org/xen-team/debian-xen/-/commit/10baa2d48db43a5ff675bddf5482717f60fb748a Testing and code review can also be seen in: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932759#38 So, since 4.11.4-1 is in unstable already, these changes have been out there for weeks now. We have not seen any user report about any regression. Thanks, Hans van Kranenburg