Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Mike, On Mon, Aug 19, 2019 at 08:00:05PM +, Mike Gabriel wrote: > I have put together a buster branch for debian-edu-config. At the end of > this mail find a .diff between buster..master. cool, thanks for this! (I wont have time for review now though, cccamp is being too noisy atm.) > I wasn't sure about the D-I / entropy related changes between 2.10.65 and > 2.10.67 and if they were actually being targetted for the buster-pu or just > for stable. > > Please let me know, if "those" entropy commits need to get included or not. I believe either is fine. > Once we have agreed on a package version to upload to buster, I will compose > the buster srm bug report for it. 2.10.65+deb10u1 is good. -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Holger, hi Wolfgang, On Fr 16 Aug 2019 21:43:05 CEST, Holger Levsen wrote: Hi Mike, On Fri, Aug 16, 2019 at 05:43:42PM +, mike.gabr...@das-netzwerkteam.de wrote: I can do that after the weekend. I have put in in my calendar for Monday morning. great, thank you! I have put together a buster branch for debian-edu-config. At the end of this mail find a .diff between buster..master. I wasn't sure about the D-I / entropy related changes between 2.10.65 and 2.10.67 and if they were actually being targetted for the buster-pu or just for stable. Please let me know, if "those" entropy commits need to get included or not. Once we have agreed on a package version to upload to buster, I will compose the buster srm bug report for it. Please give feedback. Thanks! Mike ``` [mike@minobo d-e-c (buster)]$ git diff buster..master | cat diff --git a/debian/changelog b/debian/changelog index b78cc1b7..c4c58cf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,59 +1,14 @@ -debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium +debian-edu-config (2.10.67) unstable; urgency=medium [ Wolfgang Schweer ] - * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) -- Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure - that all DHCP server information is getting through to LTSP clients. - (LTSP used this option before, but switched to 'ipappend 3' during the - Buster development cycle to ease setups with ProxyDHCP.) - * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964) -- Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.) - * Set environment variable to deal with Firefox profile. (Closes: #930122) -This is a workaround for bug #930125, preventing firefox-esr startup issues -if the mozilla profile is on an NFS share). -- Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" - as content. Thanks to Mike Gabriel for spotting the issue and providing - this information. -- Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file - to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'. - * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680) -- While the reported arch is i686, LTSP uses i386. Set arch accordingly. - * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366) -- Remove outdated (and now wrong) logging section. - * Fix loss of dynamically allocated v4 IP address. (Closes: #933580) -- Drop etc/network/if-up.d/hostname. This script doesn't work anymore due - to changed behaviour of the ifupdown/dhclient/systemd combination and now - also causes the loss of a dynamically allocated ipv4 IP address after 20 - to 30 minutes after booting. -- Add code to d/debian-edu-config.postinstall to implement the intended - hostname update just after rebooting the system after a change. -- Adjust Makefile. - * Provide Debian Edu RootCA certificate for download. (Closes: #933183) -- Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the - rootCA file to the web server directory at certificate generation time. -- Adjust cf3/cf.finalize to care for the rootCA file as well. -- Adjust cf3/cf.workarounds to copy the rootCA file to the web server - directory upon main server upgrade. - * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) -- etc/ltsp/ltsp-build-client.conf: Don't create the image by default. -- cf3/edu.cf: Define new class 'ltspimages'. -- cf3/cf.finalize: Add code to include the LDAP server certificate for all - possible use cases, to generate the image and to adjust various rights. - * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67). + * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380) - Use independent conditions to make sure that the LDAP server certificate - is only downloaded once for both host and LTSP chroot. (Closes: #934380) + is only downloaded once for both host and LTSP chroot. - Add code to validate the LDAP server certificate in case the Debian Edu RootCA certificate is available for download. [ Mike Gabriel ] - * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66): -- Make the script (and with it Debian Edu buster workstations) work in a - Debian Edu environment where the main server (TJENER) is still on Debian - Edu 8 or 9. (Closes: #926933) -- Retrieve TJENER's PKI server certificate only once per host to improve - security. This re-introduces the behaviour of fetch-ldap-cert in stretch - and earlier. (Closes: #931413). - * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67): + * Code review debian-edu-config.fetch-ldap-cert: - White-space-only change: Fix broken and
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Mike, On Fri, Aug 16, 2019 at 05:43:42PM +, mike.gabr...@das-netzwerkteam.de wrote: > I can do that after the weekend. I have put in in my calendar for Monday > morning. great, thank you! -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Holger, Am Freitag, 16. August 2019 schrieb Holger Levsen: > On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote: > > Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if > > the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a > > fallback option. > > right. so back to my original question: > > however/anyway, I'm not sure we can get this past the release team for the > stable point release. we might. > > would someone else (Mike?) be willing to file a SRM bug for > debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???) > > > -- > cheers, > Holger > I can do that after the weekend. I have put in in my calendar for Monday morning. Mike -- Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote: > Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if > the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a > fallback option. right. so back to my original question: however/anyway, I'm not sure we can get this past the release team for the stable point release. we might. would someone else (Mike?) be willing to file a SRM bug for debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???) -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Mike, thanks for the fast reply. On Fri, Aug 16, 2019 at 10:10:27AM +, Mike Gabriel wrote: > > Another improvement of the fetch-ldap-cert script shipped with d-e-c > > 2.10.67 is the use of independent conditions for host and LTSP chroot > > (instead of the global condition introduced with commit f8f436e); but > > then the drawback caused by this change for LTSP chroots has also been > > dealt with via d-e-c 2.10.66 fixes. > > > > Mike, please comment. > > Futhermore, we now entirely fixed backwards compatibility (new Debian Edu > clients running against old Debian Edu TJENERs). This was the main flaw of > the original Debian 10.0 implementation. You can't use Debian Edu 10 clients > on a network running on a TJENER from 9.x or 8.x. > While investigating this, Petter pointed us to the security flaw of always > updating the LDAP server certificate on clients. Only deploying the LDAP > server cert once protects the user against password sniffing, if someone > malign takes over the network. Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a fallback option. > Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now > is easy to read, Sure, you improved it quite a lot :) Wolfgang signature.asc Description: PGP signature
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi Wolfgang, hi Holger, On Fr 16 Aug 2019 11:41:56 CEST, Wolfgang Schweer wrote: On Thu, Aug 15, 2019 at 03:54:54PM +, Holger Levsen wrote: On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote: > Source: debian-edu-config > Version: 2.10.67 [...] >debian-edu-config.fetch-ldap-cert: > - Fully inline-document fetch-ldap-cert script. this is really great > - White-space-only change: Fix broken and inconsistent indentations. looking at the debdiff between in whats in stable and this it seems this is mostly not visible because its basically/almost a rewrite anyway: $ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat Makefile |2 cf3/cf.finalize | 52 + cf3/cf.homes |2 cf3/cf.workarounds | 16 cf3/edu.cf |1 debian/changelog | 96 +++ debian/control |2 debian/debian-edu-config.fetch-ldap-cert | 283 -- debian/debian-edu-config.postinst| 14 etc/ltsp/ltsp-build-client.conf |2 etc/network/if-up.d/hostname | 43 - share/debian-edu-config/d-i/finish-install | 31 - share/debian-edu-config/edu-firefox-nfs |1 share/debian-edu-config/sudo-ldap.conf |1 share/debian-edu-config/tools/create-debian-edu-certs|2 share/debian-edu-config/tools/kerberos-kdc-init |5 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4 17 files changed, 418 insertions(+), 139 deletions(-) (so maybe it would have been wiser not to mention the white-space only changes, as the release team really dislikes them.)\ however/anyway, I'm not sure we can get this past the release team for the stable point release. we might. we think all these changes are useful/needed for stable, right? Useful, yes; but IMO we could get along for Buster without the fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the stable release team dislikes these. Disagreeing here. The fetch-ldap-cert changes are security related and get things right about the rootCA handling in Debian Edu buster. The white-space changes are awkward to review, but the readability of the script is much better now (as indentation is now correct + all the comments). (And: we, that is Holger, have/has got other d-e-c changes into a stable-pu, as we don't affect other software packages). Among improved checks for a lot of possible failures, the rewrite has the benefit of validating the LDAP server certificate against the Debian Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against the bundle-crt certificate). Both are downloaded from www.intern, as opposed to the LDAP server cert that is fetched from the LDAP server itself. The bundle certificate contains the Debian Edu rootCA certificate and the multipurpose server certificate (as a chain). This server certificate is used for all configured Debian Edu server services, included the LDAP service. While using the single Debian Edu rootCA certificate for validation is the better way to go, the bundle certificate can be used as well. Yes. Thanks for pointing this out!!! It is the much better / cleaner / expected-by-admins approach. Another improvement of the fetch-ldap-cert script shipped with d-e-c 2.10.67 is the use of independent conditions for host and LTSP chroot (instead of the global condition introduced with commit f8f436e); but then the drawback caused by this change for LTSP chroots has also been dealt with via d-e-c 2.10.66 fixes. Mike, please comment. Futhermore, we now entirely fixed backwards compatibility (new Debian Edu clients running against old Debian Edu TJENERs). This was the main flaw of the original Debian 10.0 implementation. You can't use Debian Edu 10 clients on a network running on a TJENER from 9.x or 8.x. While investigating this, Petter pointed us to the security flaw of always updating the LDAP server certificate on clients. Only deploying the LDAP server cert once protects the user against password sniffing, if someone malign takes over the network. Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now is easy to read, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Finge
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
On Thu, Aug 15, 2019 at 03:54:54PM +, Holger Levsen wrote: > On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote: > > Source: debian-edu-config > > Version: 2.10.67 > [...] > >debian-edu-config.fetch-ldap-cert: > > - Fully inline-document fetch-ldap-cert script. > > this is really great > > > - White-space-only change: Fix broken and inconsistent indentations. > > looking at the debdiff between in whats in stable and this it seems this > is mostly not visible because its basically/almost a rewrite anyway: > > $ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat > Makefile |2 > cf3/cf.finalize | 52 + > cf3/cf.homes |2 > cf3/cf.workarounds | 16 > cf3/edu.cf |1 > debian/changelog | 96 > +++ > debian/control |2 > debian/debian-edu-config.fetch-ldap-cert | 283 > -- > debian/debian-edu-config.postinst| 14 > etc/ltsp/ltsp-build-client.conf |2 > etc/network/if-up.d/hostname | 43 - > share/debian-edu-config/d-i/finish-install | 31 - > share/debian-edu-config/edu-firefox-nfs |1 > share/debian-edu-config/sudo-ldap.conf |1 > share/debian-edu-config/tools/create-debian-edu-certs|2 > share/debian-edu-config/tools/kerberos-kdc-init |5 > share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4 > 17 files changed, 418 insertions(+), 139 deletions(-) > > (so maybe it would have been wiser not to mention the white-space only > changes, > as the release team really dislikes them.)\ > > however/anyway, I'm not sure we can get this past the release team for > the stable point release. we might. we think all these changes are > useful/needed for stable, right? Useful, yes; but IMO we could get along for Buster without the fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the stable release team dislikes these. Among improved checks for a lot of possible failures, the rewrite has the benefit of validating the LDAP server certificate against the Debian Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against the bundle-crt certificate). Both are downloaded from www.intern, as opposed to the LDAP server cert that is fetched from the LDAP server itself. The bundle certificate contains the Debian Edu rootCA certificate and the multipurpose server certificate (as a chain). This server certificate is used for all configured Debian Edu server services, included the LDAP service. While using the single Debian Edu rootCA certificate for validation is the better way to go, the bundle certificate can be used as well. Another improvement of the fetch-ldap-cert script shipped with d-e-c 2.10.67 is the use of independent conditions for host and LTSP chroot (instead of the global condition introduced with commit f8f436e); but then the drawback caused by this change for LTSP chroots has also been dealt with via d-e-c 2.10.66 fixes. Mike, please comment. Wolfgang signature.asc Description: PGP signature
Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable
Hi, On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote: > Source: debian-edu-config > Version: 2.10.67 [...] >debian-edu-config.fetch-ldap-cert: > - Fully inline-document fetch-ldap-cert script. this is really great > - White-space-only change: Fix broken and inconsistent indentations. looking at the debdiff between in whats in stable and this it seems this is mostly not visible because its basically/almost a rewrite anyway: $ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat Makefile |2 cf3/cf.finalize | 52 + cf3/cf.homes |2 cf3/cf.workarounds | 16 cf3/edu.cf |1 debian/changelog | 96 +++ debian/control |2 debian/debian-edu-config.fetch-ldap-cert | 283 -- debian/debian-edu-config.postinst| 14 etc/ltsp/ltsp-build-client.conf |2 etc/network/if-up.d/hostname | 43 - share/debian-edu-config/d-i/finish-install | 31 - share/debian-edu-config/edu-firefox-nfs |1 share/debian-edu-config/sudo-ldap.conf |1 share/debian-edu-config/tools/create-debian-edu-certs|2 share/debian-edu-config/tools/kerberos-kdc-init |5 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4 17 files changed, 418 insertions(+), 139 deletions(-) (so maybe it would have been wiser not to mention the white-space only changes, as the release team really dislikes them.)\ however/anyway, I'm not sure we can get this past the release team for the stable point release. we might. we think all these changes are useful/needed for stable, right? would someone else (Mike?) be willing to file a SRM bug for debian-edu-config_2.10.65~deb10u1? -- cheers, Holger --- holger@(debian|reproducible-builds|layer-acht).org PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C signature.asc Description: PGP signature