Bug#864189: unblock: systemd/232-25

2017-06-05 Thread Cyril Brulebois 
Niels Thykier  (2017-06-05):
> Michael Biebl:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Hi,
> > 
> > please consider unblocking systemd.
> > 
> > The changes include two fixes for selinux, a fix for a dist-upgrade
> > failure and an important performance regression.
> > 
> > None of those should affect the udev/libudev1 udeb, i.e. the
> > installer.
> > 
> > That said, I've CCed debian-boot for a d-i/KiBi ack.
> > 
> > Here's an annotated changelog
> > 
> > 
> > [...]
> > 
> > Full debdiff is attached as well.
> > 
> > Regards,
> > Michael
> > 
> > unblock systemd/232-25
> > 
> > [...]
> 
> Ack from here.

Looks good to me, and tests are OK as well: ack.


KiBi.


signature.asc
Description: Digital signature

Bug#864189: unblock: systemd/232-25

2017-06-05 Thread Niels Thykier 
Michael Biebl:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Hi,
> 
> please consider unblocking systemd.
> 
> The changes include two fixes for selinux, a fix for a dist-upgrade
> failure and an important performance regression.
> 
> None of those should affect the udev/libudev1 udeb, i.e. the installer.
> 
> That said, I've CCed debian-boot for a d-i/KiBi ack.
> 
> Here's an annotated changelog
> 
> 
> [...]
> 
> Full debdiff is attached as well.
> 
> Regards,
> Michael
> 
> unblock systemd/232-25
> 
> [...]

Ack from here.

Thanks,
~Niels

Bug#864189: unblock: systemd/232-25

2017-06-04 Thread Michael Biebl 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock

Hi,

please consider unblocking systemd.

The changes include two fixes for selinux, a fix for a dist-upgrade
failure and an important performance regression.

None of those should affect the udev/libudev1 udeb, i.e. the installer.

That said, I've CCed debian-boot for a d-i/KiBi ack.

Here's an annotated changelog


systemd (232-25) unstable; urgency=medium

  * hwdb: Use path_join() to generate the hwdb_bin path.
This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having
double slashes in the path makes selabel_lookup_raw() return the wrong
context. (Closes: #851933)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=16508bf

I was asked by the SELinux maintainers to fix this for stretch. In the
end, it turned out to be a bug in libselinux (#863854). But the fix for
libselinux is rather invasive so will likely not make it into stretch
and it's easy to avoid triggering the bug, so I've decided to fix/work
around this in systemd.

  * selinux: Enable labeling and access checks for unprivileged users.
Revert commit that inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running
as MANAGER_USER and instead deal with the auditd issue by checking for
the CAP_AUDIT_WRITE capability before opening an audit netlink socket.
(Closes: #863800)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=5088d0

Laurent Bigonville, one of the SELinux maintainers, asked me to pull
those fixes for stretch. He tested the patches and confirmed that they
work. The patches are from upstream.

  * Revert "systemd-sysv: Add Conflicts: systemd-shim"
Under certain conditions this confuses Jessies's apt which then tries to
remove systemd while being the active init system, resulting in a failed
dist-upgrade. While this turned out to be a bug in apt, avoid this
situation by dropping the Conflicts. (Closes: #854041)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=a99075

This is bug which imho is the most important one to get fixed for r0.
It was (sometimes) causing dist-upgrade failures, if prior to the upgrade
systemd-shim was installed. David Kalnischkies identified this as a bug
in apt, but since we can't retroactively fix apt in jessie, I decided to
drop this Conflicts again to avoid this situation.

  * link: Fix offload features initialization.
This fixes a regression introduced in v232 which caused TCP
segmentation offloads being disabled by default, resulting in
significant performance issues under certain conditions. (Closes: #864073)

https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=stretch=551b79

This seemed like a rather straightforward fix which was unfortuantely
only reported the other day. Otherwise I would have pulled it earlier.
The patch is from upstream.

Full debdiff is attached as well.

Regards,
Michael

unblock systemd/232-25

-- System Information:
Debian Release: 9.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), 
LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index 68276b7..d3789db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,27 @@
+systemd (232-25) unstable; urgency=medium
+
+  * hwdb: Use path_join() to generate the hwdb_bin path.
+This ensures /lib/udev/hwdb.bin gets the correct SELinux context. Having
+double slashes in the path makes selabel_lookup_raw() return the wrong
+context. (Closes: #851933)
+  * selinux: Enable labeling and access checks for unprivileged users.
+Revert commit that inadvertently broke a lot of SELinux related
+functionality for both unprivileged users and systemd instances running
+as MANAGER_USER and instead deal with the auditd issue by checking for
+the CAP_AUDIT_WRITE capability before opening an audit netlink socket.
+(Closes: #863800)
+  * Revert "systemd-sysv: Add Conflicts: systemd-shim"
+Under certain conditions this confuses Jessies's apt which then tries to
+remove systemd while being the active init system, resulting in a failed
+dist-upgrade. While this turned out to be a bug in apt, avoid this
+situation by dropping the Conflicts. (Closes: #854041)
+  * link: Fix offload features initialization.
+This fixes a regression introduced in v232 which caused TCP
+segmentation offloads being disabled by default, resulting in
+significant performance issues under certain conditions. (Closes: #864073)
+
+ -- Michael Biebl   Sun, 04 Jun 2017 22:58:32