Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-19 Thread Holger Levsen
Hi Mike,

On Mon, Aug 19, 2019 at 08:00:05PM +, Mike Gabriel wrote:
> I have put together a buster branch for debian-edu-config. At the end of
> this mail find a .diff between buster..master.

cool, thanks for this! (I wont have time for review now though, cccamp
is being too noisy atm.)

> I wasn't sure about the D-I / entropy related changes between 2.10.65 and
> 2.10.67 and if they were actually being targetted for the buster-pu or just
> for stable.
> 
> Please let me know, if "those" entropy commits need to get included or not.

I believe either is fine.

> Once we have agreed on a package version to upload to buster, I will compose
> the buster srm bug report for it.

2.10.65+deb10u1 is good.


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-19 Thread Mike Gabriel

Hi Holger, hi Wolfgang,

On  Fr 16 Aug 2019 21:43:05 CEST, Holger Levsen wrote:


Hi Mike,

On Fri, Aug 16, 2019 at 05:43:42PM +,  
mike.gabr...@das-netzwerkteam.de wrote:
I can do that after the weekend. I have put in in my calendar for  
Monday morning.


great, thank you!


I have put together a buster branch for debian-edu-config. At the end  
of this mail find a .diff between buster..master.


I wasn't sure about the D-I / entropy related changes between 2.10.65  
and 2.10.67 and if they were actually being targetted for the  
buster-pu or just for stable.


Please let me know, if "those" entropy commits need to get included or not.

Once we have agreed on a package version to upload to buster, I will  
compose the buster srm bug report for it.


Please give feedback. Thanks!

Mike

```
[mike@minobo d-e-c (buster)]$ git diff buster..master | cat
diff --git a/debian/changelog b/debian/changelog
index b78cc1b7..c4c58cf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,59 +1,14 @@
-debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium
+debian-edu-config (2.10.67) unstable; urgency=medium

   [ Wolfgang Schweer ]
-  * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes:  
#928756)
-- Use PXE option 'ipappend 2' for LTSP client boot. This option  
makes sure

-  that all DHCP server information is getting through to LTSP clients.
-  (LTSP used this option before, but switched to 'ipappend 3' during the
-  Buster development cycle to ease setups with ProxyDHCP.)
-  * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
-- Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
-  * Set environment variable to deal with Firefox profile. (Closes: #930122)
-This is a workaround for bug #930125, preventing firefox-esr  
startup issues

-if the mozilla profile is on an NFS share).
-- Ship share/debian-edu-config/edu-firefox-nfs with  
NSS_SDB_USE_CACHE="yes"

-  as content. Thanks to Mike Gabriel for spotting the issue and providing
-  this information.
-- Add instructions to cf3/cf.workarounds to link the  
'edu-firefox-nfs' file

-  to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
-  * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
-- While the reported arch is i686, LTSP uses i386. Set arch accordingly.
-  * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
-- Remove outdated (and now wrong) logging section.
-  * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
-- Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
-  to changed behaviour of the ifupdown/dhclient/systemd  
combination and now
-  also causes the loss of a dynamically allocated ipv4 IP address  
after 20

-  to 30 minutes after booting.
-- Add code to d/debian-edu-config.postinstall to implement the intended
-  hostname update just after rebooting the system after a change.
-- Adjust Makefile.
-  * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
-- Adjust share/debian-edu-config/tools/create-debian-edu-certs to  
copy the

-  rootCA file to the web server directory at certificate generation time.
-- Adjust cf3/cf.finalize to care for the rootCA file as well.
-- Adjust cf3/cf.workarounds to copy the rootCA file to the web server
-  directory upon main server upgrade.
-  * Add LDAP server certificate to the initial LTSP NBD image.  
(Closes: #932828)

-- etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
-- cf3/edu.cf: Define new class 'ltspimages'.
-- cf3/cf.finalize: Add code to include the LDAP server  
certificate for all

-  possible use cases, to generate the image and to adjust various rights.
-  * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67).
+  * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
 - Use independent conditions to make sure that the LDAP server  
certificate
-  is only downloaded once for both host and LTSP chroot. (Closes:  
#934380)

+  is only downloaded once for both host and LTSP chroot.
 - Add code to validate the LDAP server certificate in case the Debian Edu
   RootCA certificate is available for download.

   [ Mike Gabriel ]
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66):
-- Make the script (and with it Debian Edu buster workstations) work in a
-  Debian Edu environment where the main server (TJENER) is still  
on Debian

-  Edu 8 or 9. (Closes: #926933)
-- Retrieve TJENER's PKI server certificate only once per host to improve
-  security. This re-introduces the behaviour of fetch-ldap-cert  
in stretch

-  and earlier. (Closes: #931413).
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67):
+  * Code review debian-edu-config.fetch-ldap-cert:
 - White-space-only change: Fix broken 

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Holger Levsen
Hi Mike,

On Fri, Aug 16, 2019 at 05:43:42PM +, mike.gabr...@das-netzwerkteam.de 
wrote:
> I can do that after the weekend. I have put in in my calendar for Monday 
> morning.

great, thank you!


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread mike . gabriel
Hi Holger,

Am Freitag, 16. August 2019 schrieb Holger Levsen:
> On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote:
> > Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if 
> > the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a 
> > fallback option.
> 
> right. so back to my original question:
> 
> however/anyway, I'm not sure we can get this past the release team for the 
> stable point release. we might. 
> 
> would someone else (Mike?) be willing to file a SRM bug for 
> debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???)
> 
> 
> -- 
> cheers,
>   Holger
> 

I can do that after the weekend. I have put in in my calendar for Monday 
morning.

Mike

-- 
Gesendet von meinem Fairphone2 (powered by Sailfish OS).

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Holger Levsen
On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote:
> Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if 
> the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a 
> fallback option.

right. so back to my original question:

however/anyway, I'm not sure we can get this past the release team for the 
stable point release. we might. 

would someone else (Mike?) be willing to file a SRM bug for 
debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???)


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Wolfgang Schweer
Hi Mike,

thanks for the fast reply.

On Fri, Aug 16, 2019 at 10:10:27AM +, Mike Gabriel wrote:
> > Another improvement of the fetch-ldap-cert script shipped with d-e-c
> > 2.10.67 is the use of independent conditions for host and LTSP chroot
> > (instead of the global condition introduced with commit f8f436e); but
> > then the drawback caused by this change for LTSP chroots has also been
> > dealt with via d-e-c 2.10.66 fixes.
> > 
> > Mike, please comment.
> 
> Futhermore, we now entirely fixed backwards compatibility (new Debian Edu
> clients running against old Debian Edu TJENERs). This was the main flaw of
> the original Debian 10.0 implementation. You can't use Debian Edu 10 clients
> on a network running on a TJENER from 9.x or 8.x.
> While investigating this, Petter pointed us to the security flaw of always
> updating the LDAP server certificate on clients. Only deploying the LDAP
> server cert once protects the user against password sniffing, if someone
> malign takes over the network.

Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if 
the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a 
fallback option.

> Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now
> is easy to read,

Sure, you improved it quite a lot :)

Wolfgang


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Mike Gabriel

Hi Wolfgang, hi Holger,

On  Fr 16 Aug 2019 11:41:56 CEST, Wolfgang Schweer wrote:


On Thu, Aug 15, 2019 at 03:54:54PM +, Holger Levsen wrote:

On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote:
> Source: debian-edu-config
> Version: 2.10.67
[...]
>debian-edu-config.fetch-ldap-cert:
>  - Fully inline-document fetch-ldap-cert script.

this is really great

>  - White-space-only change: Fix broken and inconsistent indentations.

looking at the debdiff between in whats in stable and this it seems this
is mostly not visible because its basically/almost a rewrite anyway:

$ debdiff debian-edu-config_2.10.65.dsc  
debian-edu-config_2.10.67.dsc|diffstat

 Makefile |2
 cf3/cf.finalize 
  |   52 +

 cf3/cf.homes |2
 cf3/cf.workarounds   |   16
 cf3/edu.cf   |1
 debian/changelog
  |   96 +++

 debian/control   |2
 debian/debian-edu-config.fetch-ldap-cert
  |  283 --

 debian/debian-edu-config.postinst|   14
 etc/ltsp/ltsp-build-client.conf  |2
 etc/network/if-up.d/hostname
  |   43 -
 share/debian-edu-config/d-i/finish-install  
  |   31 -

 share/debian-edu-config/edu-firefox-nfs  |1
 share/debian-edu-config/sudo-ldap.conf   |1
 share/debian-edu-config/tools/create-debian-edu-certs|2
 share/debian-edu-config/tools/kerberos-kdc-init  |5
 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4
 17 files changed, 418 insertions(+), 139 deletions(-)

(so maybe it would have been wiser not to mention the white-space  
only changes,

as the release team really dislikes them.)\




however/anyway, I'm not sure we can get this past the release team for
the stable point release. we might. we think all these changes are
useful/needed for stable, right?


Useful, yes; but IMO we could get along for Buster without the
fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the
stable release team dislikes these.


Disagreeing here.

The fetch-ldap-cert changes are security related and get things right  
about the rootCA handling in Debian Edu buster.


The white-space changes are awkward to review, but the readability of  
the script is much better now (as indentation is now correct + all the  
comments).


(And: we, that is Holger, have/has got other d-e-c changes into a  
stable-pu, as we don't affect other software packages).



Among improved checks for a lot of possible failures, the rewrite has
the benefit of validating the LDAP server certificate against the Debian
Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against
the bundle-crt certificate). Both are downloaded from www.intern, as
opposed to the LDAP server cert that is fetched from the LDAP server
itself. The bundle certificate contains the Debian Edu rootCA
certificate and the multipurpose server certificate (as a chain). This
server certificate is used for all configured Debian Edu server
services, included the LDAP service. While using the single Debian Edu
rootCA certificate for validation is the better way to go, the bundle
certificate can be used as well.


Yes. Thanks for pointing this out!!! It is the much better / cleaner /  
expected-by-admins approach.



Another improvement of the fetch-ldap-cert script shipped with d-e-c
2.10.67 is the use of independent conditions for host and LTSP chroot
(instead of the global condition introduced with commit f8f436e); but
then the drawback caused by this change for LTSP chroots has also been
dealt with via d-e-c 2.10.66 fixes.

Mike, please comment.


Futhermore, we now entirely fixed backwards compatibility (new Debian  
Edu clients running against old Debian Edu TJENERs). This was the main  
flaw of the original Debian 10.0 implementation. You can't use Debian  
Edu 10 clients on a network running on a TJENER from 9.x or 8.x.
While investigating this, Petter pointed us to the security flaw of  
always updating the LDAP server certificate on clients. Only deploying  
the LDAP server cert once protects the user against password sniffing,  
if someone malign takes over the network.


Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it  
now is easy to read,

Mike

--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG 

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-16 Thread Wolfgang Schweer
On Thu, Aug 15, 2019 at 03:54:54PM +, Holger Levsen wrote:
> On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote:
> > Source: debian-edu-config
> > Version: 2.10.67
> [...]
> >debian-edu-config.fetch-ldap-cert:
> >  - Fully inline-document fetch-ldap-cert script.
> 
> this is really great
> 
> >  - White-space-only change: Fix broken and inconsistent indentations.
>  
> looking at the debdiff between in whats in stable and this it seems this
> is mostly not visible because its basically/almost a rewrite anyway:
> 
> $ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat
>  Makefile |2 
>  cf3/cf.finalize  |   52 +
>  cf3/cf.homes |2 
>  cf3/cf.workarounds   |   16 
>  cf3/edu.cf   |1 
>  debian/changelog |   96 
> +++
>  debian/control   |2 
>  debian/debian-edu-config.fetch-ldap-cert |  283 
> --
>  debian/debian-edu-config.postinst|   14 
>  etc/ltsp/ltsp-build-client.conf  |2 
>  etc/network/if-up.d/hostname |   43 -
>  share/debian-edu-config/d-i/finish-install   |   31 -
>  share/debian-edu-config/edu-firefox-nfs  |1 
>  share/debian-edu-config/sudo-ldap.conf   |1 
>  share/debian-edu-config/tools/create-debian-edu-certs|2 
>  share/debian-edu-config/tools/kerberos-kdc-init  |5 
>  share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4 
>  17 files changed, 418 insertions(+), 139 deletions(-)
> 
> (so maybe it would have been wiser not to mention the white-space only 
> changes,
> as the release team really dislikes them.)\
> 

> however/anyway, I'm not sure we can get this past the release team for 
> the stable point release. we might. we think all these changes are 
> useful/needed for stable, right?

Useful, yes; but IMO we could get along for Buster without the 
fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the 
stable release team dislikes these.

Among improved checks for a lot of possible failures, the rewrite has 
the benefit of validating the LDAP server certificate against the Debian 
Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against 
the bundle-crt certificate). Both are downloaded from www.intern, as 
opposed to the LDAP server cert that is fetched from the LDAP server 
itself. The bundle certificate contains the Debian Edu rootCA 
certificate and the multipurpose server certificate (as a chain). This 
server certificate is used for all configured Debian Edu server 
services, included the LDAP service. While using the single Debian Edu 
rootCA certificate for validation is the better way to go, the bundle 
certificate can be used as well.

Another improvement of the fetch-ldap-cert script shipped with d-e-c 
2.10.67 is the use of independent conditions for host and LTSP chroot 
(instead of the global condition introduced with commit f8f436e); but 
then the drawback caused by this change for LTSP chroots has also been 
dealt with via d-e-c 2.10.66 fixes.

Mike, please comment.

Wolfgang


signature.asc
Description: PGP signature


Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

2019-08-15 Thread Holger Levsen
Hi,

On Thu, Aug 15, 2019 at 02:38:33PM +, Debian FTP Masters wrote:
> Source: debian-edu-config
> Version: 2.10.67
[...]
>debian-edu-config.fetch-ldap-cert:
>  - Fully inline-document fetch-ldap-cert script.

this is really great

>  - White-space-only change: Fix broken and inconsistent indentations.
 
looking at the debdiff between in whats in stable and this it seems this
is mostly not visible because its basically/almost a rewrite anyway:

$ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat
 Makefile |2 
 cf3/cf.finalize  |   52 +
 cf3/cf.homes |2 
 cf3/cf.workarounds   |   16 
 cf3/edu.cf   |1 
 debian/changelog |   96 +++
 debian/control   |2 
 debian/debian-edu-config.fetch-ldap-cert |  283 
--
 debian/debian-edu-config.postinst|   14 
 etc/ltsp/ltsp-build-client.conf  |2 
 etc/network/if-up.d/hostname |   43 -
 share/debian-edu-config/d-i/finish-install   |   31 -
 share/debian-edu-config/edu-firefox-nfs  |1 
 share/debian-edu-config/sudo-ldap.conf   |1 
 share/debian-edu-config/tools/create-debian-edu-certs|2 
 share/debian-edu-config/tools/kerberos-kdc-init  |5 
 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |4 
 17 files changed, 418 insertions(+), 139 deletions(-)

(so maybe it would have been wiser not to mention the white-space only changes,
as the release team really dislikes them.)\

however/anyway, I'm not sure we can get this past the release team for the 
stable point
release. we might. we think all these changes are useful/needed for stable, 
right?

would someone else (Mike?) be willing to file a SRM bug for 
debian-edu-config_2.10.65~deb10u1?


-- 
cheers,
Holger

---
   holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C


signature.asc
Description: PGP signature