LTS work report, February 2016
Here's the summary of my work on Debian LTS for February 2016: * investigating about update of ntp * update libebml in squeeze-lts This is my first month working on Debian LTS and I managed to work only 3.9 hours out of the allocated 11.25. The reason for this was mostly me not trying hard enough to find packages to work on. As a way to compensate this, I plan to spend some time on the triaging part of the process in March. -- Damyan
Re: working for wheezy-security until wheezy-lts starts
On Tue, Mar 01, 2016 at 02:08:56PM +, Sébastien Delafond wrote: > On 2016-03-01, Mike Gabrielwrote: > > @Security Team: Shall we (LTS contributors) handle wheezy-security > > updates like described below until Debian wheezy LTS comes into play? > > > >o Pick a package that has open CVE issues in wheezy, e.g. from > > above list > >o Add the package to data/dsa-needed.txt, if not already there: Don't add anything to dsa-needed.txt directly, but rather ask team@ first whether this actually qualifies for a DSA. Packages get only added there after individual assessment. Cheers, Moritz
Re: working for wheezy-security until wheezy-lts starts
On 2016-03-01, Mike Gabrielwrote: > @Security Team: Shall we (LTS contributors) handle wheezy-security > updates like described below until Debian wheezy LTS comes into play? > >o Pick a package that has open CVE issues in wheezy, e.g. from > above list >o Add the package to data/dsa-needed.txt, if not already there: > - packages with issues to be solved in wheezy only, should be >suffixed with "/oldstable" (i.e., gosa/oldstable) > - packages with issues in jessie and wheezy, should probably >just be added by the package name (without suffix), right? > > From then on, the workflow can be the same workflow as used for > normal security updates (as already described earlier in this > thread): > >o Fix the issue in the package (grab the current package from > oldstable's archive). >o Test your fixes. >o Provide a .debdiff to > t...@security.debian.org and to the > Debian bug, if any related bug exists. > >o Wait for feedback from the release team on how to proceed. > >o As a courtesy, you could check the same package in jessie and > see if the fix for oldstable is easily forward-portable. Thus, > maybe providing a jessie-security .debdiff for the package can > be an option. > > The removal of the entry placed into data/dsa-needed.txt should then > be handled by the Security Team, once the fixed package version has > been uploaded. More Feedback? Mike Looking good to me; we can refine the process incrementally, if need be. Thanks a lot for the help, --Seb
Re: Unsupported packages for Wheezy LTS
Am 29.02.2016 um 18:04 schrieb Raphael Hertzog: > On Mon, 29 Feb 2016, Markus Koschany wrote: >> Matthias Klose, the OpenJDK maintainer, stated that he intends to >> support OpenJDK 6 until Ubuntu 12.04 reaches EOL in April 2017 [1] and I >> think it should be feasible to mirror this approach for Wheezy LTS >> provided everyone agrees to keep OpenJDK 6 supported until then. > > I have no objection but I also don't see the point of supporting > something only half of the LTS period. Fair enough. Then let's focus on the switch to make OpenJDK 7 the default in Wheezy LTS. >> We discussed the switch to OpenJDK 7 last month [2] and I think the >> problematic packages are only those that strictly depend on >> openjdk-6-jre like tunnelx and rcran-r-java. Everything else that >> declares an alternative dependency on java6-runtime or default-jre >> should be fine because OpenJDK 7 provides these dependencies. > > I suggest that we can already fix those, possibly via > wheezy-proposed-updates so that they are fixed before the last > wheezy point release. I will handle the switch to OpenJDK 7 and coordinate this with the Debian Release Team. I have updated https://wiki.debian.org/LTS/TODO accordingly. >> In addition I would also suggest to add Tomcat 6 to the list of >> unsupported packages when it is declared EOL on December 31, 2016 [3] >> and recommend the switch to Tomcat 7. > > OK. Then we should probably have some "Wheezy LTS release notes" where we > can add some recommendations like "Use Tomcat 7 if you want security > support until the end of Wheezy LTS because Tomcat 6 will be EOL on > 2016-12-31." > > We could then also document the situation of OpenJDK 6. > > And we should also fix debian-security-support to be able to document well > in advance that some packages won't be supported past a given date... > right now I don't think that the software takes the EOL date into account. I transformed these suggestions into TODO items on https://wiki.debian.org/LTS/TODO. Everyone feel free to work on this and don't forget to claim the task by adding your names behind it. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: Wiki update LTS/Using and EOL announcement
Am 01.03.2016 um 13:16 schrieb Bonno Bloksma (list account): > Hi, > > On 2016-02-29 20:27, Paul Gevers wrote: >>> I know, but that is not what I meant. I meant (and wrote), upgrade via >>> wheezy. >> >> I think that (what you wrote ealier) would be a sensible recommendation to >> make. >> >> We're only keeping Wheezy around for system setups that were established >> while Wheezy was stable, we've tried to bring all Squeeze systems via Wheezy >> and then immediately to Jessie. > > So the announcement should probably read something like: > We recommend that you upgrade your systems to at least Debian 7 "Wheezy" and > then to the current Debian 8 stable release "Jessie" if you can. > Instructions to upgrade from Squeeze to Wheezy can be found at > > https://wiki.debian.org/LTS/Using Hi, I have already sent the announcement to debian-lts-announce. > Also the info at the above link is rather sparse. "Recommendations for > upgrading from Squeeze LTS to Wheezy LTS" > Should there not also be a link to the old Squeeze to Wheezy upgrade > instructions? > There were several gotcha's if I remember. I have just added the links to the official release notes for Wheezy and the issues to be aware of. Please feel free to add more recommendations to the Wiki, if you think they may be useful for others. Regards, Markus signature.asc Description: OpenPGP digital signature
RE: Wiki update LTS/Using and EOL announcement
Hi, On 2016-02-29 20:27, Paul Gevers wrote: >> I know, but that is not what I meant. I meant (and wrote), upgrade via >> wheezy. > > I think that (what you wrote ealier) would be a sensible recommendation to > make. > > We're only keeping Wheezy around for system setups that were established > while Wheezy was stable, we've tried to bring all Squeeze systems via Wheezy > and then immediately to Jessie. So the announcement should probably read something like: We recommend that you upgrade your systems to at least Debian 7 "Wheezy" and then to the current Debian 8 stable release "Jessie" if you can. Instructions to upgrade from Squeeze to Wheezy can be found at https://wiki.debian.org/LTS/Using Also the info at the above link is rather sparse. "Recommendations for upgrading from Squeeze LTS to Wheezy LTS" Should there not also be a link to the old Squeeze to Wheezy upgrade instructions? There were several gotcha's if I remember. Bonno Bloksma
[SECURITY] Debian 6 Squeeze has reached end-of-life
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 The Debian Long Term Support (LTS) Team hereby announces that Debian 6 ("Squeeze") support has reached its end-of-life on February 29, 2016, five years after its initial release on February 6, 2011. There will be no further security support for Debian 6.0. The LTS Team will prepare the transition to Debian 7 ("wheezy"), which is the current oldstable release. The LTS team will take over support from the Security Team on April 26, 2016. Debian 7 will also receive Long Term Support for five years after its initial release with support ending on May 31, 2018. We recommend that you upgrade your systems. Instructions can be found at https://wiki.debian.org/LTS/Using Debian and its LTS Team would like to thank all contributing users, developers and sponsors who are making it possible to extend the life of previous stable releases, and who have made this LTS a success. If you rely on Debian LTS, please consider joining the team, providing patches, testing or funding the efforts. More information can be found at https://wiki.debian.org/LTS/ -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQJ8BAEBCgBmBQJW1X5gXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1HkSy0QALLH3SoYYSwzwIIfa1jfjcn5 pl4BPQBgEBBigf1srFDJFOoRBgVBVChXDLiQtej9z3HfHwAuQ/cRvGOYwmTcOFc4 02DtKOCSdgQyc3H4W4YdNoST/K/d8ERB/yQ6IYkHwAOKnDtIdHLn/L4mlsgGviL4 IH1XK2JbUAcqIcJJDDKi20by53WsDB9p8rPiEeSNC5SWSwlt+GRGVTDQSVq+Rhcb 9oFtt4iCYOl7K1kX+Z51aI3CtVBPuW6RposcVIj1xFzO0llfVhzcOQFck7qPdaA7 8/kAasnNuRLxF3Ay3oftU9jCKbi2ew1AXQhxuE0BAdYl9YfDnebAICvsQsgwW56d /rmwRkwLlVs2D/DqeSgkCpcLPrBIvw68nWJKLWIS5nKDaFTNJ113AszILFbbzgfs qtY0CkEl/8Ee2BipN5h0lQfLJrgdwNsDaSkgBCZ3jMHZa0fsH/6+qLz52fVM9P8u 4M1F4s8ZsY8pV1UStBBCIvOzCW98MlHmgRimfN8rOCgKXPkXYXutbEVy/HiflnCy p3roY9xBNbeivQtVaH455FajuGtci+K5JspAL+BDIiiB1SK4h+lEJKE1UraS4+Ez CggXHl3pa+tNaeg4/jWzm79J5NiGIfosvhfvLc7HusLONYtFWoDFI9Zx3MG2P57L v9RNP641ExEj4j7oeG9A =uka/ -END PGP SIGNATURE-
Re: working for wheezy-security until wheezy-lts starts
On Di 01 Mär 2016 08:44:08 CET, Guido Günther wrote: On Tue, Mar 01, 2016 at 07:15:28AM +, Mike Gabriel wrote: [..snip..] >>Issues that are unfixed in wheezy but fixed in squeeze: >>* aptdaemon-> CVE-2015-1323 >>* cakephp -> TEMP-000-698CF7 >>* dhcpcd -> CVE-2012-6698 CVE-2012-6699 CVE-2012-6700 >>* eglibc -> CVE-2014-9761 >>* extplorer-> CVE-2015-0896 >>* fuseiso -> TEMP-0779047-8CABD5 TEMP-0779047-E29D8E >>* gosa -> CVE-2014-9760 CVE-2015-8771 >>* gtk+2.0 -> CVE-2013-7447 >>* icu -> CVE-2015-2632 >>* imagemagick -> TEMP-0773834-5EB6CF >>* imlib2 -> CVE-2014-9762 CVE-2014-9763 CVE-2014-9764 >>* inspircd -> CVE-2015-8702 >>* libebml -> CVE-2015-8790 CVE-2015-8791 >>* libidn -> CVE-2015-2059 TEMP-000-54045E >>* libmatroska -> CVE-2015-8792 >>* libsndfile -> CVE-2014-9756 CVE-2015-7805 >>* libstruts1.2-java-> CVE-2015-0899 >>* libtorrent-rasterbar -> CVE-2015-5685 >>* mono -> CVE-2009-0689 >>* nss -> CVE-2015-7181 CVE-2015-7182 CVE-2016-1938 >>* optipng -> CVE-2015-7801 >>* phpmyadmin -> CVE-2016-2039 CVE-2016-2041 >>* pixman -> CVE-2014-9766 >>* python-tornado -> CVE-2014-9720 >>* roundcube-> CVE-2015-8770 >>* srtp -> CVE-2015-6360 >>* tomcat6 -> CVE-2013-4286 CVE-2013-4322 CVE-2014-0033 >>CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 >>CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5351 >>CVE-2016-0706 CVE-2016-0714 CVE-2016-0763 > >I'm focusing on these picking older ones over newer ones to not stomp >onto the security teams toes. Do you announce anywhere, that you will start working on a specific package? Wouldn't it make sense to put all the packages listed below into data/dsa-needed.txt (with approval from the Security Team) and then put our names behind those package names? In order to avoid double work I added these to dsa-needed.txt and put my name on the line. Cheers, -- Guido Ack. @Security Team: Shall we (LTS contributors) handle wheezy-security updates like described below until Debian wheezy LTS comes into play? o Pick a package that has open CVE issues in wheezy, e.g. from above list o Add the package to data/dsa-needed.txt, if not already there: - packages with issues to be solved in wheezy only, should be suffixed with "/oldstable" (i.e., gosa/oldstable) - packages with issues in jessie and wheezy, should probably just be added by the package name (without suffix), right? From then on, the workflow can be the same workflow as used for normal security updates (as already described earlier in this thread): o Fix the issue in the package (grab the current package from oldstable's archive). o Test your fixes. o Provide a .debdiff to t...@security.debian.org and to the Debian bug, if any related bug exists. o Wait for feedback from the release team on how to proceed. o As a courtesy, you could check the same package in jessie and see if the fix for oldstable is easily forward-portable. Thus, maybe providing a jessie-security .debdiff for the package can be an option. The removal of the entry placed into data/dsa-needed.txt should then be handled by the Security Team, once the fixed package version has been uploaded. More Feedback? Mike -- mike gabriel aka sunweaver (Debian Developer) fon: +49 (1520) 1976 148 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net pgpBSc_26ZXaG.pgp Description: Digitale PGP-Signatur