[Bug 1946965] Re: python3-defaults: py3versions -i does not list python3.10 when it is installed

2021-10-20 Thread Dimitri John Ledkov
Is this needed in focal too?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946965

Title:
  python3-defaults: py3versions -i does not list python3.10 when it is
  installed

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3-defaults/+bug/1946965/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942260] Re: compress firmware in /lib/firmware

2021-10-19 Thread Dimitri John Ledkov
** Also affects: linux-firmware-raspi2 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942260

Title:
  compress firmware in /lib/firmware

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1942260/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947721] [NEW] shellcheck has regressions

2021-10-19 Thread Dimitri John Ledkov
Public bug reported:

https://github.com/koalaman/shellcheck/commit/fbc8d2cb2f8070f820c9337851bb97478e40e710

is a fix for a regression in 0.7.2 release

Imho either we should stick with current shellcheck or package a newer
snapshot / cherry-picks of fixes?

** Affects: shellcheck (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: block-proposed block-proposed-jammy

** Tags added: block-proposed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947721

Title:
  shellcheck has regressions

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shellcheck/+bug/1947721/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932329] Re: Benchmark if we can compress kernel modules

2021-10-19 Thread Dimitri John Ledkov
** Also affects: initramfs-tools (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932329

Title:
  Benchmark if we can compress kernel modules

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1932329/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942260] Re: compress firmware in /lib/firmware

2021-10-19 Thread Dimitri John Ledkov
** Also affects: initramfs-tools (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942260

Title:
  compress firmware in /lib/firmware

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1942260/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947581] [NEW] Download times for 1Mbit DSL connection and 56k modem are meaningless

2021-10-18 Thread Dimitri John Ledkov
Public bug reported:

"""
You have to download a total of 5276 M. This download will take about 
11 hours with a 1Mbit DSL connection and about 8 days 12 hours with a 
56k modem.
"""

Are meaningless. On 4G connectivity one can get stable 4-6 Mbit,
developing world speeds are 8-10 Mbit range, and developed world speeds
are 40+ Mbit

Please update the download time estimates using the 40 MBit and 5 Mbit
connections.

https://www.cable.co.uk/broadband/speed/worldwide-speed-
league/#:~:text=The%20average%20global%20broadband%20speed%20measured%20during%202018%20was%209.10,20.65%25%20over%20the%20previous%20year.

** Affects: ubuntu-release-upgrader (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: champagne rls-jj-incoming

** Tags added: champagne rls-jj-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947581

Title:
  Download times for 1Mbit DSL connection and 56k modem are meaningless

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1947581/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1671536] Re: Default initrd is LZMA compressed, yet rebuilt initramfs are gzip?

2021-10-18 Thread Dimitri John Ledkov
I believe livecd-rootfs and live-build have been fixed for this.

** Changed in: cloud-images
   Status: New => Fix Released

** Changed in: initramfs-tools (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1671536

Title:
  Default initrd is LZMA compressed, yet rebuilt initramfs are gzip?

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-images/+bug/1671536/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1944082] Re: initramfs-tools: zstd uses too much memory in mkinitramfs

2021-10-18 Thread Dimitri John Ledkov
In general we optimize for bootspeed, at the expense of generation time.
It is often the case that we can complete the boot on systems smaller
than required to recreate files for such boot. I.e. impossible to
install/upgrade packages.

Are you experiencing failure to create initrd, where previously you
could? a 512MB instance should still be able to create zstd compressed
initrd and boot.

** Changed in: initramfs-tools (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1944082

Title:
  initramfs-tools: zstd uses too much memory in mkinitramfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1944082/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1941649] Re: switch to zstd by default breaks booting focal LTS kernel

2021-10-18 Thread Dimitri John Ledkov
partial upgrades are not supported, and during upgrades we generally do
not recreate initrds for old kernels.

Meaning one should have at least .old kernel+initrd pair bootable.

It is more of linux bug maybe that v5.4 does not support zstd compressed
initrd?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941649

Title:
  switch to zstd by default breaks booting focal LTS kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1941649/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947043] Re: nvidia drivers do not update initramfs properly

2021-10-14 Thread Dimitri John Ledkov
Why are you using dkms modules, instead of signed lrm modules?

** Also affects: linux-restricted-modules (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947043

Title:
  nvidia drivers do not update initramfs properly

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-restricted-modules/+bug/1947043/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1947174] [NEW] Add final-checks to check certificates

2021-10-14 Thread Dimitri John Ledkov
Public bug reported:

[Impact]

 * As part of landing builtin revocation certificates work
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been
identified that many kernels do not correct enforce newly enfoced keys
in the derivative flavours. I.e. due to annotations not importing parent
annotations, due to not having do_enforce_all, or using older formats of
annotations files.

 * As part fips validation work final-checks got added to check and
assert that correct things are turned on.

 * It has been agreed that having a final-check for builtin system
trusted & revocation certificates would be a good thing. If packaging
declares that certain certificates should be built-in trusted or
revoked, the kernel must be configured pointing at the packaging
generated .pem bundle in the config.

[Test Plan]

 * Kernel should build
 * If trusted or revocation are configured in packaging but the config option 
is misconfigured (i.e. typo or not set), the kernel build and cranky close 
should fail


[Where problems could occur]

 * This is a packaging change only, thus may result in valid kernels
ftbfs but should be easy to rectify.

[Other Info]
 
 * Also see

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029

and kernels that derived from a primary kernel that had that fixed, and
the subsequently failed boot testing due to not enabling those options.

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1947174

Title:
  Add final-checks to check certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1840122] Re: System fails to reboot from live session or ubiquity-dm - squashfs_read_data failed to read block

2021-10-13 Thread Dimitri John Ledkov
I wonder if we need before= or after= umount.target

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1840122

Title:
  System fails to reboot from live session or ubiquity-dm -
  squashfs_read_data failed to read block

To manage notifications about this bug go to:
https://bugs.launchpad.net/subiquity/+bug/1840122/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1840122] Re: System fails to reboot from live session or ubiquity-dm - squashfs_read_data failed to read block

2021-10-13 Thread Dimitri John Ledkov
Our installer could stop finalrd before issuing shutdown too, as a
workaround.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1840122

Title:
  System fails to reboot from live session or ubiquity-dm -
  squashfs_read_data failed to read block

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/casper/+bug/1840122/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1840122] Re: System fails to reboot from live session or ubiquity-dm - squashfs_read_data failed to read block

2021-10-13 Thread Dimitri John Ledkov
we should check ordering of services for stop in a booted live session
(desktop / server / next-installer) and then figure out if we can add
additional dependencies to finalr.service (after) such that its stop is
ordered before everything else is stopped.

** Also affects: finalrd (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1840122

Title:
  System fails to reboot from live session or ubiquity-dm -
  squashfs_read_data failed to read block

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/casper/+bug/1840122/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] Re: nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-13 Thread Dimitri John Ledkov
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_39a8dbb93caf4ec889f8a1b7f69885db/bileto-4684/2021-10-12_16:41:27/impish_nvidia-
graphics-drivers-390_content.diff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946808] Re: zfs fails reverting to a previous snapshot on reboot when selected on grub

2021-10-13 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
-  * zfs fails reverting to a previous snapshot on reboot when selected on
+  * zfs fails reverting to a previous snapshot on reboot when selected on
  grub
  
-  * A miss-merge dropped initramfs hook changes, which result in failing
+  * A miss-merge dropped initramfs hook changes, which result in failing
  to generate and use a new zfs uid.
+ 
+  * Thus revert code to how it was before in
+ https://launchpad.net/ubuntu/+source/zfs-linux/2.0.2-1ubuntu3
  
  [Test Plan]
  
-  * Create snapshot with $ zsysctl save test-sru --system
+  * Create snapshot with $ zsysctl save test-sru --system
  
-  * Reboot and attempt to boot into test-sru snapshot
- 
+  * Reboot and attempt to boot into test-sru snapshot
  
  [Where problems could occur]
  
-  * The change is to initramfs hook only, thus initrd generation and boot
+  * The change is to initramfs hook only, thus initrd generation and boot
  paths are affected. Only latest initrd is rebuilt, rather than old ones,
  meaning booting initrds of older kernel abis will not be resolved.
  
  [Other Info]
-  
-  * Original bug report
+ 
+  * Original bug report
  
  After creating a snapshot with: zsysctl save 211012-linux13-19 -s
  the reboot fails as shown on the screenshot, the other screenshot shows the 
result of the snapshot.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 21.10
  Package: zsys 0.5.8
  ProcVersionSignature: Ubuntu 5.13.0-19.19-generic 5.13.14
  Uname: Linux 5.13.0-19-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu70
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: XFCE
  Date: Tue Oct 12 19:11:43 2021
  InstallationDate: Installed on 2021-10-12 (0 days ago)
  InstallationMedia: Xubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
  Mounts: Error: [Errno 40] Too many levels of symbolic links: '/proc/mounts'
  ProcKernelCmdLine: BOOT_IMAGE=/BOOT/ubuntu_zgtuq6@/vmlinuz-5.13.0-19-generic 
root=ZFS=rpool/ROOT/ubuntu_zgtuq6 ro quiet splash
  RelatedPackageVersions:
   zfs-initramfs  2.0.6-1ubuntu2
   zfsutils-linux 2.0.6-1ubuntu2
  SourcePackage: zsys
  SystemdFailedUnits:
  
  UpgradeStatus: No upgrade log present (probably fresh install)
  ZFSImportedPools:
   NAMESIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAGCAP  DEDUPHEALTH 
 ALTROOT
   bpool   768M  79.2M   689M- - 0%10%  1.00xONLINE 
 -
   rpool14G  3.33G  10.7G- - 1%23%  1.00xONLINE 
 -
  ZFSListcache-bpool:
   bpool/boot   off on  on  off on  off on  
off -   none-   -   -   -   -   -   -   
-
   bpool/BOOT   noneoff on  on  off on  off on  
off -   none-   -   -   -   -   -   -   
-
   bpool/BOOT/ubuntu_zgtuq6 /boot   on  on  on  off on  
off on  off -   none-   -   -   -   -   
-   -   -
  ZSYSJournal:
   -- Journal begins at Tue 2021-10-12 18:10:37 AST, ends at Tue 2021-10-12 
19:11:52 AST. --
   -- No entries --
  modified.conffile..etc.apt.apt.conf.d.90_zsys_system_autosnapshot: [deleted]

** Patch added: "lp1946808.patch"
   
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1946808/+attachment/5532393/+files/lp1946808.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946808

Title:
  zfs fails reverting to a previous snapshot on reboot when selected on
  grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1946808/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946808] Re: zfs fails reverting to a previous snapshot on reboot when selected on grub

2021-10-13 Thread Dimitri John Ledkov
Also I wonder if:

grep -a -m10 -E "\*" /dev/urandom 2>/dev/null | tr -dc 'a-z0-9' | cut
-c-6

can be implemented as:

cut -c-6 /proc/sys/kernel/random/uuid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946808

Title:
  zfs fails reverting to a previous snapshot on reboot when selected on
  grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1946808/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946808] Re: zfs fails reverting to a previous snapshot on reboot when selected on grub

2021-10-13 Thread Dimitri John Ledkov
** Description changed:

+ [Impact]
+ 
+  * zfs fails reverting to a previous snapshot on reboot when selected on
+ grub
+ 
+  * A miss-merge dropped initramfs hook changes, which result in failing
+ to generate and use a new zfs uid.
+ 
+ [Test Plan]
+ 
+  * Create snapshot with $ zsysctl save test-sru --system
+ 
+  * Reboot and attempt to boot into test-sru snapshot
+ 
+ 
+ [Where problems could occur]
+ 
+  * The change is to initramfs hook only, thus initrd generation and boot
+ paths are affected. Only latest initrd is rebuilt, rather than old ones,
+ meaning booting initrds of older kernel abis will not be resolved.
+ 
+ [Other Info]
+  
+  * Original bug report
+ 
  After creating a snapshot with: zsysctl save 211012-linux13-19 -s
  the reboot fails as shown on the screenshot, the other screenshot shows the 
result of the snapshot.
  
  ProblemType: Bug
  DistroRelease: Ubuntu 21.10
  Package: zsys 0.5.8
  ProcVersionSignature: Ubuntu 5.13.0-19.19-generic 5.13.14
  Uname: Linux 5.13.0-19-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.11-0ubuntu70
  Architecture: amd64
  CasperMD5CheckResult: pass
  CurrentDesktop: XFCE
  Date: Tue Oct 12 19:11:43 2021
  InstallationDate: Installed on 2021-10-12 (0 days ago)
  InstallationMedia: Xubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
  Mounts: Error: [Errno 40] Too many levels of symbolic links: '/proc/mounts'
  ProcKernelCmdLine: BOOT_IMAGE=/BOOT/ubuntu_zgtuq6@/vmlinuz-5.13.0-19-generic 
root=ZFS=rpool/ROOT/ubuntu_zgtuq6 ro quiet splash
  RelatedPackageVersions:
-  zfs-initramfs  2.0.6-1ubuntu2
-  zfsutils-linux 2.0.6-1ubuntu2
+  zfs-initramfs  2.0.6-1ubuntu2
+  zfsutils-linux 2.0.6-1ubuntu2
  SourcePackage: zsys
  SystemdFailedUnits:
-  
+ 
  UpgradeStatus: No upgrade log present (probably fresh install)
  ZFSImportedPools:
-  NAMESIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAGCAP  DEDUPHEALTH 
 ALTROOT
-  bpool   768M  79.2M   689M- - 0%10%  1.00xONLINE 
 -
-  rpool14G  3.33G  10.7G- - 1%23%  1.00xONLINE 
 -
+  NAMESIZE  ALLOC   FREE  CKPOINT  EXPANDSZ   FRAGCAP  DEDUPHEALTH 
 ALTROOT
+  bpool   768M  79.2M   689M- - 0%10%  1.00xONLINE 
 -
+  rpool14G  3.33G  10.7G- - 1%23%  1.00xONLINE 
 -
  ZFSListcache-bpool:
-  bpool/boot   off on  on  off on  off on  
off -   none-   -   -   -   -   -   -   
-
-  bpool/BOOT   noneoff on  on  off on  off on  
off -   none-   -   -   -   -   -   -   
-
-  bpool/BOOT/ubuntu_zgtuq6 /boot   on  on  on  off on  
off on  off -   none-   -   -   -   -   
-   -   -
+  bpool/boot   off on  on  off on  off on  
off -   none-   -   -   -   -   -   -   
-
+  bpool/BOOT   noneoff on  on  off on  off on  
off -   none-   -   -   -   -   -   -   
-
+  bpool/BOOT/ubuntu_zgtuq6 /boot   on  on  on  off on  
off on  off -   none-   -   -   -   -   
-   -   -
  ZSYSJournal:
-  -- Journal begins at Tue 2021-10-12 18:10:37 AST, ends at Tue 2021-10-12 
19:11:52 AST. --
-  -- No entries --
+  -- Journal begins at Tue 2021-10-12 18:10:37 AST, ends at Tue 2021-10-12 
19:11:52 AST. --
+  -- No entries --
  modified.conffile..etc.apt.apt.conf.d.90_zsys_system_autosnapshot: [deleted]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946808

Title:
  zfs fails reverting to a previous snapshot on reboot when selected on
  grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1946808/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946808] Re: zfs fails reverting to a previous snapshot on reboot when selected on grub

2021-10-13 Thread Dimitri John Ledkov
** Also affects: zfs-linux (Ubuntu Impish)
   Importance: Critical
 Assignee: Dimitri John Ledkov (xnox)
   Status: Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946808

Title:
  zfs fails reverting to a previous snapshot on reboot when selected on
  grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zfs-linux/+bug/1946808/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1933826] Re: default file permissions on bootloader configuration

2021-10-12 Thread Dimitri John Ledkov
I am still confused how 400 permission for grub.cfg can work at all.

Depending on the upstream grub version, it either cats things to it, or
moves a new file to it. In both cases, either permissions reset to 600
or write is not allowed at all. Or one has custom/distro/downstream
patched grub that does something different.

Are you inspecting grub.cfg which is stored on non-posix filesystems
with restrictive mount umask set? I.e. grub.cfg stored on ESP mounted
with fmask=0022,dmask=0022 ?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933826

Title:
  default file permissions on bootloader configuration

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1933826/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939287] Re: dbgsym package is missing for ubuntu focal hwe kernel 5.11 & 5.13

2021-10-12 Thread Dimitri John Ledkov
To fix this on hwe-5.11 all of
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1930713 needs to be
backported. Given that hwe-5.11 will be rolled over to hwe-5.13 soon, I
am not sure if it is worth the effort.

** Changed in: linux-hwe-5.11 (Ubuntu Focal)
   Status: Confirmed => Won't Fix

** Changed in: linux-hwe-5.11 (Ubuntu)
   Status: Confirmed => Won't Fix

** Changed in: linux-hwe-5.13 (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939287

Title:
  dbgsym package is missing for ubuntu focal hwe kernel 5.11 & 5.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-5.11/+bug/1939287/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939287] Re: dbgsym package is missing for ubuntu focal hwe kernel 5.11

2021-10-12 Thread Dimitri John Ledkov
The bug was committed for the linux-hwe-5.13 kernel in proposed:

linux-image-5.13.0-17-generic-dbgsym_5.13.0-17.17~20.04.1_armhf.ddeb (937.5 MiB)
linux-image-5.13.0-17-generic-lpae-dbgsym_5.13.0-17.17~20.04.1_armhf.ddeb 
(923.4 MiB)
linux-image-unsigned-5.13.0-17-generic-64k-dbgsym_5.13.0-17.17~20.04.1_arm64.ddeb
 (1.2 GiB)
linux-image-unsigned-5.13.0-17-generic-dbgsym_5.13.0-17.17~20.04.1_amd64.ddeb 
(1.1 GiB)
linux-image-unsigned-5.13.0-17-generic-dbgsym_5.13.0-17.17~20.04.1_arm64.ddeb 
(1.2 GiB)
linux-image-unsigned-5.13.0-17-generic-dbgsym_5.13.0-17.17~20.04.1_ppc64el.ddeb 
(1.0 GiB)
linux-image-unsigned-5.13.0-17-generic-dbgsym_5.13.0-17.17~20.04.1_s390x.ddeb 
(305.0 MiB)
linux-image-unsigned-5.13.0-17-lowlatency-dbgsym_5.13.0-17.17~20.04.1_amd64.ddeb
 (1.1 GiB)

Focal SRU for linux-hwe-5.13 is now verified.

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

** Summary changed:

- dbgsym package is missing for ubuntu focal hwe kernel 5.11
+ dbgsym package is missing for ubuntu focal hwe kernel 5.11 & 5.13

** Changed in: linux-hwe-5.13 (Ubuntu Focal)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939287

Title:
  dbgsym package is missing for ubuntu focal hwe kernel 5.11 & 5.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-5.11/+bug/1939287/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] Re: nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-12 Thread Dimitri John Ledkov
That also does not work, due to:

/var/lib/dkms/nvidia/390.144/build/nvidia-modeset/nvidia-modeset-linux.c:72:5: 
note: in expansion of macro ‘do_div’
   72 | do_div(result, 100);

./include/asm-generic/div64.h:245:36: error: passing argument 1 of ‘__div64_32’ 
from incompatible pointer type [-Werror=incompatible-pointer-types]
  245 | __rem = __div64_32(&(n), __base);   \
  |^~~~
  ||
  |long unsigned int *
/var/lib/dkms/nvidia/390.144/build/nvidia-modeset/nvidia-modeset-linux.c:72:5: 
note: in expansion of macro ‘do_div’
   72 | do_div(re

I am starting to doubt that 32bit drivers have been working for a long
time now.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] Re: nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-11 Thread Dimitri John Ledkov
** Patch added: "lp1946642.patch"
   
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+attachment/5531917/+files/lp1946642.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] Re: nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-11 Thread Dimitri John Ledkov
Testing in https://bileto.ubuntu.com/#/ticket/4681

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] Re: nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-11 Thread Dimitri John Ledkov
That failed, missed one more place. Retesting.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] Re: nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-11 Thread Dimitri John Ledkov
Testing patch in https://launchpad.net/~ci-train-ppa-
service/+archive/ubuntu/4680

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] Re: nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-11 Thread Dimitri John Ledkov
** Patch added: "lp1946642.patch"
   
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+attachment/5531904/+files/lp1946642.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946642] [NEW] nvidia-graphics-drivers-390 ftbfs on armhf

2021-10-11 Thread Dimitri John Ledkov
Public bug reported:

nvidia-graphics-drivers-390 ftbfs on armhf

In file included from 
/var/lib/dkms/nvidia/390.144/build/nvidia/os-interface.c:16:
/var/lib/dkms/nvidia/390.144/build/nvidia/os-interface.c: In function 
‘os_flush_cpu_write_combine_buffer’:
/var/lib/dkms/nvidia/390.144/build/common/inc/nv-linux.h:467:43: error: 
implicit declaration of function ‘outer_sync’ 
[-Werror=implicit-function-declaration]
  467 | #define WRITE_COMBINE_FLUSH(){ dsb(); outer_sync(); }
  |   ^~
/var/lib/dkms/nvidia/390.144/build/nvidia/os-interface.c:951:5: note: in 
expansion of macro ‘WRITE_COMBINE_FLUSH’
  951 | WRITE_COMBINE_FLUSH();
  | ^~~

https://autopkgtest.ubuntu.com/results/autopkgtest-
impish/impish/armhf/n/nvidia-graphics-
drivers-390/20211011_104931_6a71c@/log.gz

** Affects: nvidia-graphics-drivers-390 (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946642

Title:
  nvidia-graphics-drivers-390 ftbfs on armhf

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-390/+bug/1946642/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946343] Re: Stale os-release file after possible upgrade from 20.04.2 to 20.04.3

2021-10-08 Thread Dimitri John Ledkov
It looks like it is this platform:

http://oem.archive.canonical.com/dists/focal-somerville-bulbasaur/

But I don't see any packages called oem-release or where they came from.

Dear reporter, what's the output of:

$ apt-cache policy oem-release

?


** Also affects: dell
   Importance: Undecided
   Status: New

** Changed in: dell
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946343

Title:
  Stale os-release file after possible upgrade from 20.04.2 to 20.04.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/dell/+bug/1946343/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946343] Re: Stale os-release file after possible upgrade from 20.04.2 to 20.04.3

2021-10-08 Thread Dimitri John Ledkov
** Also affects: oem-priority
   Importance: Undecided
   Status: New

** Changed in: oem-priority
   Importance: Undecided => Critical

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946343

Title:
  Stale os-release file after possible upgrade from 20.04.2 to 20.04.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1946343/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1946001] Re: impish:linux-aws 5.13 panic during systemd autotest

2021-10-07 Thread Dimitri John Ledkov
** Also affects: ubuntu-release-notes
   Importance: Undecided
   Status: New

** Changed in: linux-aws (Ubuntu Impish)
Milestone: None => ubuntu-21.10

** Tags added: rls-ff-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1946001

Title:
  impish:linux-aws 5.13 panic during systemd autotest

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/1946001/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1945757] Re: sysdig-dkms fails to build on arm64 - kernel 5.13

2021-10-05 Thread Dimitri John Ledkov
** Changed in: linux-oem-5.6 (Ubuntu Impish)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1945757

Title:
  sysdig-dkms fails to build on arm64 - kernel 5.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-oem-5.6/+bug/1945757/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1941720] Re: openafs dkms: FTBFS for linux-hwe-5.13

2021-10-05 Thread Dimitri John Ledkov
** Changed in: openafs (Ubuntu)
   Status: New => Fix Released

** Changed in: openafs (Ubuntu Focal)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941720

Title:
  openafs dkms: FTBFS for linux-hwe-5.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/1941720/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1941616] Re: rtl8821ce dkms: FTBFS for linux-hwe-5.13

2021-10-05 Thread Dimitri John Ledkov
Whitespace change is redundant, but it was made in the upstream commit,
meaning any future cherrypicks will continue to be clean.

** Changed in: rtl8821ce (Ubuntu)
   Status: New => Fix Released

** Changed in: rtl8821ce (Ubuntu Focal)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941616

Title:
  rtl8821ce dkms: FTBFS for linux-hwe-5.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rtl8821ce/+bug/1941616/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1941187] Re: gost-crypto dkms: FTBFS for linux-hwe-5.13

2021-10-05 Thread Dimitri John Ledkov
** Changed in: gost-crypto (Ubuntu Focal)
   Status: New => In Progress

** Changed in: gost-crypto (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941187

Title:
  gost-crypto dkms: FTBFS for linux-hwe-5.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gost-crypto/+bug/1941187/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1941071] Re: dm-writeboost dkms: FTBFS for linux-hwe-5.13

2021-10-05 Thread Dimitri John Ledkov
** Changed in: dm-writeboost (Ubuntu Focal)
   Status: New => In Progress

** Changed in: dm-writeboost (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941071

Title:
  dm-writeboost dkms: FTBFS for linux-hwe-5.13

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dm-writeboost/+bug/1941071/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1945784] Re: tp-smapi build failure on arm64 with the latest impish kernel

2021-10-05 Thread Dimitri John Ledkov
** Changed in: tp-smapi (Ubuntu Impish)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1945784

Title:
  tp-smapi build failure on arm64 with the latest impish kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tp-smapi/+bug/1945784/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available

2021-10-05 Thread Dimitri John Ledkov
** Description changed:

- When booting with UEFI, mokvar table and %:.platform keyring must be
- available
+ [Impact]
+ 
+  * When booting with UEFI, mokvar table and %:.platform keyring must be
+ available. These are required for builtin revocation certificates to be
+ present, shim builtin certificates to be present and thus support to
+ signed & verified kexec present. It also allows revocation of signed lrm
+ and livepatch drivers which are trusted by this kernel.
+ 
+  * The kvm annotations are very minimal, v3 format, and the parent
+ kernel's annotations are not enforced.
+ 
+ [Test Plan]
+ 
+  * Check that /sys/firmware/efi/mok-variables/ is available
+ 
+  * Check that %:.blacklist keyring is populated
+ 
+$ sudo keyctl list %:.blacklist
+ 
+ 
+  * Check that %:.platform keyring is populated
+ 
+$ sudo keyctl list %:.platform
+ 
+ [Where problems could occur]
+ 
+  * Given how small the kvm config is, it is not clear if all of lockdown
+ features are correctly enabled. Specifically measuring and appraising
+ things with integrity framework. It is possible further config changes
+ will be required to make kvm flavour as hardened as generic one.
+ 
+ [Other Info]
+  
+  * This issue was discovered whilst working on 
https://bugs.launchpad.net/bugs/1928679 and 
https://bugs.launchpad.net/bugs/1932029

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942319

Title:
  When booting with UEFI, mokvar table and %:.platform keyring must be
  available

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1912811] Re: Update dwarves-dfsg in focal to version 1.21 from impish

2021-10-04 Thread Dimitri John Ledkov
** Also affects: dwarves-dfsg (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: libbpf (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Changed in: dwarves-dfsg (Ubuntu Bionic)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912811

Title:
  Update dwarves-dfsg in focal to version 1.21 from impish

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dwarves-dfsg/+bug/1912811/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1912811] Re: Update dwarves-dfsg in focal to version 1.21 from impish

2021-10-04 Thread Dimitri John Ledkov
Using 1.21-0ubuntu1~20.04 and 1.21-0ubuntu1~21.04 it was possible to
create BTF enabled kernels on all architectures.

** Tags removed: verification-needed verification-needed-focal 
verification-needed-hirsute
** Tags added: verification-done verification-done-focal 
verification-done-hirsute

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912811

Title:
  Update dwarves-dfsg in focal to version 1.21 from impish

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dwarves-dfsg/+bug/1912811/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-10-01 Thread Dimitri John Ledkov
** Changed in: gnutls28 (Ubuntu Trusty)
   Status: Confirmed => Won't Fix

** Also affects: gnutls28 (Ubuntu Focal)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

2021-10-01 Thread Dimitri John Ledkov
** Merge proposal linked:
   
https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932029] Re: Support builtin revoked certificates

2021-10-01 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
  Upstream linux kernel now supports configuring built-in revoked
  certificates for the .blacklist keyring.
  
  Add support in our kernel configuration to have built-in revoked
  certificates.
  
  Revoke UEFI amd64 & arm64 2012 signing certificate.
  
  Under UEFI Secureboot with lockdown, shim may attempt to communicate
  revoked certificates to the kernel and depending on how good EFI
  firmware is, this may or may not succeed.
  
  By having these built-in, it will be prohibited to kexec file_load older
  kernels that were signed with now revoked certificates, however one
  boots.
  
  [Test Plan]
  
   * Boot kernel directly, or just with grub, and without shim
  
   * Check that
  
  $ sudo keyctl list %:.blacklist
  
  Contains asymmetric 2012 key.
  
  [Where problems could occur]
  
   * Derivative and per-arch kernels may need to revoke different keys,
  thus this should be evaluated on per arch & flavour basis as to which
  keys to revoke.
  
  [Other Info]
  
   * In theory, this only needs to be revoked on amd64 and arm64, but
  empty revocation list is not allowed by the kernel configury, thus at
  the moment revoking 2012 UEFI cert for all architectures.
  
   * an ubuntu kernel team regression test is being added to assert that 
expected revoked certificates have been revoked
  see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
  
   * Previous reviews
  
  Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-
  team/2021-June/121362.html
  
  Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-
  team/2021-August/122996.html
  
  Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-
  team/2021-August/123470.html
  
  Focal & v5.8 (azure): https://lists.ubuntu.com/archives/kernel-
  team/2021-September/124336.html
  
- Focal & v5.4: TODO
+ Focal & v5.4: https://lists.ubuntu.com/archives/kernel-
+ team/2021-October/124497.html
  
  Bionic & v4.15: TODO
  
  Xenial & v4.4: TODO
  
  Trusty & v3.13: TODO

** Merge proposal linked:
   
https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1413664] Re: 15.04: consider enabling CONFIG_DEBUG_INFO_SPLIT and package the .dwo files

2021-09-30 Thread Dimitri John Ledkov
Should we look into this?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1413664

Title:
  15.04: consider enabling CONFIG_DEBUG_INFO_SPLIT and package the .dwo
  files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1413664/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1945632] [NEW] Re-enable DEBUG_INFO_BTF where it was dissabled

2021-09-30 Thread Dimitri John Ledkov
Public bug reported:

[Impact]

 * pahole used to segfault on 32-bit platforms, which has now been fixed

 * pahole used to be too old in focal, which is now being SRUed

 * renable DEBUG_INFO_BTF in all the kernels/arches that had it
disabled, as otherwise one cannot compile/use advanced BTF features on
newer kernels.


[Test Plan]

 * Check the built kernel's config that it has CONFIG_DEBUG_INFO_BTF=y
 * Check build log that it contains
```
  BTF .btf.vmlinux.bin.o
```

[Where problems could occur]

 * In the future, kernel may require even newer version of pahole from
dwarves, making the builds fail to build again, as building BTF debug
information will now be required. Until either BTF is disabled again or
pahole is upgraded again.

[Other Info]
 
 * Latest pahole is available from focal-proposed, hirsute-proposed, impish 
release, builders-extra PPA

** Affects: linux (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1945632

Title:
  Re-enable DEBUG_INFO_BTF where it was dissabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1945632/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932029] Re: Support builtin revoked certificates

2021-09-27 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
  Upstream linux kernel now supports configuring built-in revoked
  certificates for the .blacklist keyring.
  
  Add support in our kernel configuration to have built-in revoked
  certificates.
  
  Revoke UEFI amd64 & arm64 2012 signing certificate.
  
  Under UEFI Secureboot with lockdown, shim may attempt to communicate
  revoked certificates to the kernel and depending on how good EFI
  firmware is, this may or may not succeed.
  
  By having these built-in, it will be prohibited to kexec file_load older
  kernels that were signed with now revoked certificates, however one
  boots.
  
- 
  [Test Plan]
  
   * Boot kernel directly, or just with grub, and without shim
  
   * Check that
  
  $ sudo keyctl list %:.blacklist
  
  Contains asymmetric 2012 key.
- 
  
  [Where problems could occur]
  
   * Derivative and per-arch kernels may need to revoke different keys,
  thus this should be evaluated on per arch & flavour basis as to which
  keys to revoke.
  
  [Other Info]
  
   * In theory, this only needs to be revoked on amd64 and arm64, but
  empty revocation list is not allowed by the kernel configury, thus at
  the moment revoking 2012 UEFI cert for all architectures.
  
   * an ubuntu kernel team regression test is being added to assert that 
expected revoked certificates have been revoked
  see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
  
   * Previous reviews
  
  Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-
  team/2021-June/121362.html
  
  Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-
  team/2021-August/122996.html
  
  Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-
  team/2021-August/123470.html
  
- Focal & v5.8 (azure): TODO
+ Focal & v5.8 (azure): https://lists.ubuntu.com/archives/kernel-
+ team/2021-September/124336.html
  
  Focal & v5.4: TODO
  
  Bionic & v4.15: TODO
  
  Xenial & v4.4: TODO
  
  Trusty & v3.13: TODO

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

2021-09-27 Thread Dimitri John Ledkov
** Also affects: linux-azure-5.8 (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: linux-azure-5.8 (Ubuntu Hirsute)
   Status: New => Invalid

** Changed in: linux-azure-5.8 (Ubuntu)
   Status: New => Invalid

** Changed in: linux-azure-5.8 (Ubuntu Bionic)
   Status: New => Invalid

** Changed in: linux-azure-5.8 (Ubuntu Xenial)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

2021-09-27 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
-  * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx)
+  * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx)
  which revokes many Ubuntu kernel hashes and 2012 signing key.
  
-  * Kernel should import those into it's %:.blacklist keyring such that
+  * Kernel should import those into it's %:.blacklist keyring such that
  it prohibits signed kexec of the revoked kernels.
  
-  * v5.13-rc1 kernel has learned how to import mokx and how to import
+  * v5.13-rc1 kernel has learned how to import mokx and how to import
  full certs into the %:.blacklist keyring.
  
-  * However, it only does so by reading MokListXRT efi variable.
+  * However, it only does so by reading MokListXRT efi variable.
  
-  * Due to the large size of Ubuntu's vendor-dbx, shim does not create
+  * Due to the large size of Ubuntu's vendor-dbx, shim does not create
  MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2
  MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also
  exposes MokListXRT via mokvar table, which is easier to parse and
  contains all the revocations in full. Kernel needs a patch to read
  MokListXRT via mokvar table.
  
-  * We have two options on how to proceed from here, either we include
+  * We have two options on how to proceed from here, either we include
  the same hashes and certs as our vendordbx in in the kernel as
  revocation list, or we fix kernel to read MokListXRT via mokvar table
  
-  * The above is known as CVE-2020-26541
+  * The above is known as CVE-2020-26541
  
-  * Separately it would be nice to add informational dmesg messages when
+  * Separately it would be nice to add informational dmesg messages when
  revoking signing certificates, as a good indication that signing key
  rotation events have happened and have been applied correctly.
  
  [Test Plan]
  
-  * Boot kernel with 15.4 based Ubuntu shim
+  * Boot kernel with 15.4 based Ubuntu shim
  
-  * Install keyutils package
+  * Install keyutils package
  
-  * Execute $ sudo keyctl list %:.blacklist it should list in exccess of
+  * Execute $ sudo keyctl list %:.blacklist it should list in exccess of
  300+ hash entries. It also must list assymetric Canonical signing key
  from 2012.
  
-  * Separately check dmesg to observe that asymmetric canonical signing
+  * Separately check dmesg to observe that asymmetric canonical signing
  key from 2012 is revoked.
+ 
+   * $ sudo ls /sys/firmware/efi/mok-variables
+ MokListRT  MokListXRT  SbatLevelRT
+ 
+ When booted with shim, the mok-variables directory above should exist,
+ and contain at least `MokListRT  MokListXRT  SbatLevelRT` files.
+ 
+ In kernel messages, the CA certificate should be loaded via MOKvar table
+ i.e:
+ 
+    * $ sudo journalctl -b -k | grep -A1 'MOKvar table'
+ Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 
certificate: UEFI:MokListRT (MOKvar table)
+ Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 
'Canonical Ltd. Master Certificate Authority: 
ad91990bc22ab1f517048c23b6655a268e345a63
  
  [Where problems could occur]
  
-  * EFI variable storage can be full thus preventing shim to mirror
+  * EFI variable storage can be full thus preventing shim to mirror
  efivars and the moktable. On decent hardware this should not happen, but
  has been observed to be corrupted on some older EDKII based OVMF
  instances with small EFI variable storage space (pre-4MB).
  
  [Other Info]
-  
-  * The patches to fix the above have been submitted upstream
+ 
+  * The patches to fix the above have been submitted upstream
  
  
https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/
  
  
https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/
  
  This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE
  kernel, until accepted upstream.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932029] Re: Support builtin revoked certificates

2021-09-27 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
  Upstream linux kernel now supports configuring built-in revoked
  certificates for the .blacklist keyring.
  
  Add support in our kernel configuration to have built-in revoked
  certificates.
  
  Revoke UEFI amd64 & arm64 2012 signing certificate.
  
  Under UEFI Secureboot with lockdown, shim may attempt to communicate
  revoked certificates to the kernel and depending on how good EFI
  firmware is, this may or may not succeed.
  
  By having these built-in, it will be prohibited to kexec file_load older
  kernels that were signed with now revoked certificates, however one
  boots.
  
- For kernels v5.8 and lower, also backport mokvar table driver to surface
- MOK variables from the EFI config table that shim installs, instead of
- relying on runtime efivars.
  
  [Test Plan]
  
   * Boot kernel directly, or just with grub, and without shim
  
   * Check that
  
  $ sudo keyctl list %:.blacklist
  
  Contains asymmetric 2012 key.
  
- [Test Plan v5.8 and lower]
- 
- For v5.8 and lower kernels mok table driver is backported to surface
- moktable variables
- 
-   * $ sudo ls /sys/firmware/efi/mok-variables
- MokListRT  MokListXRT  SbatLevelRT
- 
- When booted with shim, the mok-variables directory above should exist,
- and contain at least `MokListRT  MokListXRT  SbatLevelRT` files.
- 
- In kernel messages, the CA certificate should be loaded via MOKvar table
- i.e:
- 
-    * $ sudo journalctl -b -k | grep -A1 'MOKvar table'
- Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 
certificate: UEFI:MokListRT (MOKvar table)
- Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 
'Canonical Ltd. Master Certificate Authority: 
ad91990bc22ab1f517048c23b6655a268e345a63
  
  [Where problems could occur]
  
   * Derivative and per-arch kernels may need to revoke different keys,
  thus this should be evaluated on per arch & flavour basis as to which
  keys to revoke.
  
  [Other Info]
  
   * In theory, this only needs to be revoked on amd64 and arm64, but
  empty revocation list is not allowed by the kernel configury, thus at
  the moment revoking 2012 UEFI cert for all architectures.
  
   * an ubuntu kernel team regression test is being added to assert that 
expected revoked certificates have been revoked
  see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
  
-  * Previous reviews
+  * Previous reviews
  
  Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-
  team/2021-June/121362.html
  
  Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-
  team/2021-August/122996.html
  
  Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-
  team/2021-August/123470.html
  
  Focal & v5.8 (azure): TODO
  
  Focal & v5.4: TODO
  
  Bionic & v4.15: TODO
  
  Xenial & v4.4: TODO
  
  Trusty & v3.13: TODO

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932029] Re: Support builtin revoked certificates

2021-09-27 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
  Upstream linux kernel now supports configuring built-in revoked
  certificates for the .blacklist keyring.
  
  Add support in our kernel configuration to have built-in revoked
  certificates.
  
  Revoke UEFI amd64 & arm64 2012 signing certificate.
  
  Under UEFI Secureboot with lockdown, shim may attempt to communicate
  revoked certificates to the kernel and depending on how good EFI
  firmware is, this may or may not succeed.
  
  By having these built-in, it will be prohibited to kexec file_load older
  kernels that were signed with now revoked certificates, however one
  boots.
  
  For kernels v5.8 and lower, also backport mokvar table driver to surface
  MOK variables from the EFI config table that shim installs, instead of
  relying on runtime efivars.
  
  [Test Plan]
  
   * Boot kernel directly, or just with grub, and without shim
  
   * Check that
  
  $ sudo keyctl list %:.blacklist
  
  Contains asymmetric 2012 key.
  
  [Test Plan v5.8 and lower]
  
  For v5.8 and lower kernels mok table driver is backported to surface
  moktable variables
  
    * $ sudo ls /sys/firmware/efi/mok-variables
  MokListRT  MokListXRT  SbatLevelRT
  
  When booted with shim, the mok-variables directory above should exist,
  and contain at least `MokListRT  MokListXRT  SbatLevelRT` files.
  
  In kernel messages, the CA certificate should be loaded via MOKvar table
  i.e:
  
     * $ sudo journalctl -b -k | grep -A1 'MOKvar table'
  Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 
certificate: UEFI:MokListRT (MOKvar table)
  Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 
'Canonical Ltd. Master Certificate Authority: 
ad91990bc22ab1f517048c23b6655a268e345a63
  
  [Where problems could occur]
  
   * Derivative and per-arch kernels may need to revoke different keys,
  thus this should be evaluated on per arch & flavour basis as to which
  keys to revoke.
  
  [Other Info]
  
   * In theory, this only needs to be revoked on amd64 and arm64, but
  empty revocation list is not allowed by the kernel configury, thus at
  the moment revoking 2012 UEFI cert for all architectures.
  
   * an ubuntu kernel team regression test is being added to assert that 
expected revoked certificates have been revoked
  see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
+ 
+  * Previous reviews
+ 
+ Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-
+ team/2021-June/121362.html
+ 
+ Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-
+ team/2021-August/122996.html
+ 
+ Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-
+ team/2021-August/123470.html
+ 
+ Focal & v5.8 (azure): TODO
+ 
+ Focal & v5.4: TODO
+ 
+ Bionic & v4.15: TODO
+ 
+ Xenial & v4.4: TODO
+ 
+ Trusty & v3.13: TODO

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932029] Re: Support builtin revoked certificates

2021-09-27 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
  Upstream linux kernel now supports configuring built-in revoked
  certificates for the .blacklist keyring.
  
  Add support in our kernel configuration to have built-in revoked
  certificates.
  
  Revoke UEFI amd64 & arm64 2012 signing certificate.
  
  Under UEFI Secureboot with lockdown, shim may attempt to communicate
  revoked certificates to the kernel and depending on how good EFI
  firmware is, this may or may not succeed.
  
  By having these built-in, it will be prohibited to kexec file_load older
  kernels that were signed with now revoked certificates, however one
  boots.
  
  [Test Plan]
  
   * Boot kernel directly, or just with grub, and without shim
  
   * Check that
  
  $ sudo keyctl list %:.blacklist
  
- Contains assymetric 2012 key.
+ Contains asymmetric 2012 key.
+ 
+ [Test Plan v5.8 and lower]
+ 
+ For v5.8 and lower kernels mok table driver is backported to surface
+ moktable variables
+ 
+   * $ sudo ls /sys/firmware/efi/mok-variables
+ MokListRT  MokListXRT  SbatLevelRT
+ 
+ When booted with shim, the mok-variables directory above should exist,
+ and contain at least `MokListRT  MokListXRT  SbatLevelRT` files.
+ 
+ In kernel messages, the CA certificate should be loaded via MOKvar table
+ i.e:
+ 
+* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
+ Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 
certificate: UEFI:MokListRT (MOKvar table)
+ Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 
'Canonical Ltd. Master Certificate Authority: 
ad91990bc22ab1f517048c23b6655a268e345a63
+ 
  
  [Where problems could occur]
  
   * Derivative and per-arch kernels may need to revoke different keys,
  thus this should be evaluated on per arch & flavour basis as to which
  keys to revoke.
  
  [Other Info]
  
   * In theory, this only needs to be revoked on amd64 and arm64, but
  empty revocation list is not allowed by the kernel configury, thus at
  the moment revoking 2012 UEFI cert for all architectures.
  
-  * an ubuntu kernel team regression test is being added to assert that 
expected revoked certificates have been revoked
+  * an ubuntu kernel team regression test is being added to assert that 
expected revoked certificates have been revoked
  see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html

** Description changed:

  [Impact]
  
  Upstream linux kernel now supports configuring built-in revoked
  certificates for the .blacklist keyring.
  
  Add support in our kernel configuration to have built-in revoked
  certificates.
  
  Revoke UEFI amd64 & arm64 2012 signing certificate.
  
  Under UEFI Secureboot with lockdown, shim may attempt to communicate
  revoked certificates to the kernel and depending on how good EFI
  firmware is, this may or may not succeed.
  
  By having these built-in, it will be prohibited to kexec file_load older
  kernels that were signed with now revoked certificates, however one
  boots.
  
+ For kernels v5.8 and lower, also backport mokvar table driver to surface
+ MOK variables from the EFI config table that shim installs, instead of
+ relying on runtime efivars.
+ 
  [Test Plan]
  
   * Boot kernel directly, or just with grub, and without shim
  
   * Check that
  
  $ sudo keyctl list %:.blacklist
  
  Contains asymmetric 2012 key.
  
  [Test Plan v5.8 and lower]
  
  For v5.8 and lower kernels mok table driver is backported to surface
  moktable variables
  
-   * $ sudo ls /sys/firmware/efi/mok-variables
- MokListRT  MokListXRT  SbatLevelRT
+   * $ sudo ls /sys/firmware/efi/mok-variables
+ MokListRT  MokListXRT  SbatLevelRT
  
  When booted with shim, the mok-variables directory above should exist,
  and contain at least `MokListRT  MokListXRT  SbatLevelRT` files.
  
  In kernel messages, the CA certificate should be loaded via MOKvar table
  i.e:
  
-* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
+    * $ sudo journalctl -b -k | grep -A1 'MOKvar table'
  Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 
certificate: UEFI:MokListRT (MOKvar table)
  Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 
'Canonical Ltd. Master Certificate Authority: 
ad91990bc22ab1f517048c23b6655a268e345a63
- 
  
  [Where problems could occur]
  
   * Derivative and per-arch kernels may need to revoke different keys,
  thus this should be evaluated on per arch & flavour basis as to which
  keys to revoke.
  
  [Other Info]
  
   * In theory, this only needs to be revoked on amd64 and arm64, but
  empty revocation list is not allowed by the kernel configury, thus at
  the moment revoking 2012 UEFI cert for all architectures.
  
   * an ubuntu kernel team regression test is being added to assert that 
expected revoked certificates have been revoked
  see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is 

[Bug 1932029] Re: Support builtin revoked certificates

2021-09-27 Thread Dimitri John Ledkov
** Also affects: linux-azure-5.8 (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: linux-azure-5.8 (Ubuntu Hirsute)
   Status: New => Invalid

** Changed in: linux-azure-5.8 (Ubuntu Bionic)
   Status: New => Invalid

** Changed in: linux-azure-5.8 (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: linux-azure-5.8 (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1944744] Re: vboxsf missing in focal

2021-09-23 Thread Dimitri John Ledkov
** Description changed:

  virtualbox got SRUed into focal that drops virtualbox-guest-dkms
  
  virtualbox-guest-dkms (among other modules) used to provide vboxsf which
  src:linux used as source to build & sign vboxsf.
  
- vboxsf is also available in upstream vanilla kernels from v5.6+
+ vboxsf is also available in upstream vanilla kernels from v5.5~rc6+
  
  to continue building vboxsf in the src:linux on focal virtualbox-guest-
  dkms must be continued to be provided.
  
  please re-introduce back virtualbox-guest-dkms, on focal only.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1944744

Title:
  vboxsf missing in focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1944744/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1944744] [NEW] vboxsf missing in focal

2021-09-23 Thread Dimitri John Ledkov
Public bug reported:

virtualbox got SRUed into focal that drops virtualbox-guest-dkms

virtualbox-guest-dkms (among other modules) used to provide vboxsf which
src:linux used as source to build & sign vboxsf.

vboxsf is also available in upstream vanilla kernels from v5.6+

to continue building vboxsf in the src:linux on focal virtualbox-guest-
dkms must be continued to be provided.

please re-introduce back virtualbox-guest-dkms, on focal only.

** Affects: virtualbox (Ubuntu)
 Importance: Undecided
 Status: New


** Tags: regression-update

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1944744

Title:
  vboxsf missing in focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1944744/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1933248] Re: please drop virtualbox-guest-dkms virtualbox-guest-source

2021-09-23 Thread Dimitri John Ledkov
https://lists.ubuntu.com/archives/kernel-team/2021-September/124249.html
https://lists.ubuntu.com/archives/kernel-team/2021-September/124250.html

** Changed in: linux (Ubuntu Focal)
   Status: Fix Committed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933248

Title:
  please drop virtualbox-guest-dkms virtualbox-guest-source

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933248/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1933248] Re: please drop virtualbox-guest-dkms virtualbox-guest-source

2021-09-23 Thread Dimitri John Ledkov
$ git describe 0fd1695766
v5.5-rc6-150-g0fd1695766

0fd1695766 fs: Add VirtualBox guest shared folder (vboxsf) support

** Tags added: block-proposed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933248

Title:
  please drop virtualbox-guest-dkms virtualbox-guest-source

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933248/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1933248] Re: please drop virtualbox-guest-dkms virtualbox-guest-source

2021-09-23 Thread Dimitri John Ledkov
reading old modules...
  MISS: vboxguest (ignored)
  MISS: vboxsf (ignored)


In the current kerenl. So it appears that building with a dkms module got 
dropped, and yet the guest modules from upstream code have not been built 
either.

And i am able to reproduce https://bugs.launchpad.net/cloud-
images/+bug/1939580

** Tags removed: verification-needed-focal
** Tags added: verification-failed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933248

Title:
  please drop virtualbox-guest-dkms virtualbox-guest-source

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933248/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1933248] Re: please drop virtualbox-guest-dkms virtualbox-guest-source

2021-09-23 Thread Dimitri John Ledkov
./fs/vboxsf is not available in v5.4 kernel.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933248

Title:
  please drop virtualbox-guest-dkms virtualbox-guest-source

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933248/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1933248] Re: please drop virtualbox-guest-dkms virtualbox-guest-source

2021-09-23 Thread Dimitri John Ledkov
linux (5.4.0-87.98) focal; urgency=medium

  * please drop virtualbox-guest-dkms virtualbox-guest-source (LP: #1933248)
- [Config] Disable virtualbox dkms build


Disabled do_dkms_vbox, because src:virtualbox got srued into Focal which no 
longer provides virtualbox-guest-dkms

I fear/wonder if this will cause regressions for virtualbox, in case
previous v5.4 kernel had newer/better/different vbox guest modules
versus what will be available now.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933248

Title:
  please drop virtualbox-guest-dkms virtualbox-guest-source

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933248/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1933248] Re: please drop virtualbox-guest-dkms virtualbox-guest-source

2021-09-23 Thread Dimitri John Ledkov
I was not expecting for focal/linux to change. This change was expected
to be done in impish/linux only.

How can I figure out why this was done in focal/linux?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1933248

Title:
  please drop virtualbox-guest-dkms virtualbox-guest-source

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1933248/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942357] Re: Regression in openssl 1.0.1f for trusty/esm after last update

2021-09-21 Thread Dimitri John Ledkov
** Changed in: openssl (Ubuntu)
   Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942357

Title:
  Regression in openssl 1.0.1f for trusty/esm after last update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1942357/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1944403] Re: FIPS cannot be enabled on non usrmerged 20.04 systems

2021-09-21 Thread Dimitri John Ledkov
if we can't fix fips version of libgcrypt in focal, we must add a
maintainer script somewhere else to copy the hmac from /lib to /usr/lib.
I.e. a fixup in ua tool or ubuntu-fips package.

** Also affects: libgcrypt (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: libgcrypt (Ubuntu)
   Importance: Undecided => Critical

** Changed in: libgcrypt (Ubuntu)
 Assignee: (unassigned) => The FIPS-CC-STIG (fips-cc-stig)

** Information type changed from Public to Private

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1944403

Title:
  FIPS cannot be enabled on non usrmerged 20.04 systems

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt/+bug/1944403/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1944403] Re: FIPS cannot be enabled on non usrmerged 20.04 systems

2021-09-21 Thread Dimitri John Ledkov
an .hmac for a matching soname, should be shipped in the same location
as recorded for a given deb in the dpkg database.

In bionic,
# dpkg -L libgcrypt20 | grep so.20.2.1
/lib/x86_64-linux-gnu/libgcrypt.so.20.2.1

Thus bionic gcrypt hmac file should be under /lib

In focal,
# dpkg -L libgcrypt20 | grep .so.20.2.5
/usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.5

Thus focal gcrypt hmac file should be under /usr/lib

It seems a bug in whatever creates or ships gcrypt hmac file that it got
generated under /lib instead of /usr/lib on focal+

It is prohibited to depend/install usrmerge package on focal, and force
convert installations to usrmerged. We have only enabled and did this by
default in hirsute. Doing so on earlier releases may break the system
badly, depending on how hold the running systemd is.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1944403

Title:
  FIPS cannot be enabled on non usrmerged 20.04 systems

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt/+bug/1944403/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1912811] Re: Update dwarves-dfsg in focal to version 1.21 from impish

2021-09-20 Thread Dimitri John Ledkov
Uploaded new dwarves-dfsg SRUs that use embeded libbpf (which in turn is
updated to the same source as used in impish).

This makes dwarves-dfsg SRU stand-alone, without introducing or
upgrading the system-wide libbpf.

** Changed in: libbpf (Ubuntu Focal)
   Status: Confirmed => Won't Fix

** Changed in: libbpf (Ubuntu Hirsute)
   Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912811

Title:
  Update dwarves-dfsg in focal to version 1.21 from impish

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dwarves-dfsg/+bug/1912811/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939287] Re: dbgsym package is missing for ubuntu focal hwe kernel 5.11

2021-09-20 Thread Dimitri John Ledkov
** Changed in: linux-hwe-5.13 (Ubuntu Focal)
   Status: Confirmed => In Progress

** Changed in: linux-hwe-5.13 (Ubuntu Focal)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939287

Title:
  dbgsym package is missing for ubuntu focal hwe kernel 5.11

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-5.11/+bug/1939287/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939287] Re: dbgsym package is missing for ubuntu focal hwe kernel 5.11

2021-09-20 Thread Dimitri John Ledkov
** Description changed:

+ [Impact]
+ 
+  * Due to disk space constraints previously hwe-5.11 disabled building
+ dbgsyms packages
+ 
+  * This has been resolved in hwe-5.13, thus builds with debug symbols
+ can be re-enabled
+ 
+ [Test Plan]
+ 
+  * Build new kernel, check that dbgsyms packages are published & have a
+ debug image
+ 
+ [Where problems could occur]
+ 
+  * Build may grow in size, again, and fail to build from source, again.
+ At the moment we don't see any such issues with v5.13 in impish.
+ 
+ [Other Info]
+  
+  * Original Bug description:
+ 
  Package "linux-image-unsigned-5.11.0-25-generic-dbgsym" is missing from
  http://ddebs.ubuntu.com/dists/focal-updates/main/binary-amd64/Packages
  
  This breaks our workflow when the system is automatically upgraded from
  5.8.0 to 5.11.0. We have "linux-image-unsigned-5.8.0-63-generic-dbgsym"
  for focal, which is also an HWE kernel. So why not do the same for
  5.11.0 kernels?
  
  Also, on focal, we have "linux-image-5.11.0-25-generic-dbgsym", which
  depends on the unsigned one, but the latter does not exist. This seems
  to indicate something is broken.

** Changed in: linux-hwe-5.13 (Ubuntu Focal)
   Status: New => Confirmed

** Changed in: linux-hwe-5.13 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939287

Title:
  dbgsym package is missing for ubuntu focal hwe kernel 5.11

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-5.11/+bug/1939287/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1912811] Re: Update dwarves-dfsg in focal to version 1.21 from impish

2021-09-20 Thread Dimitri John Ledkov
** Summary changed:

- Update dwarves-dfsg in focal to version 1.21 from hirsute
+ Update dwarves-dfsg in focal to version 1.21 from impish

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1912811

Title:
  Update dwarves-dfsg in focal to version 1.21 from impish

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dwarves-dfsg/+bug/1912811/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939287] Re: dbgsym package is missing for ubuntu focal hwe kernel 5.11

2021-09-20 Thread Dimitri John Ledkov
** Also affects: linux-hwe-5.13 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939287

Title:
  dbgsym package is missing for ubuntu focal hwe kernel 5.11

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-5.11/+bug/1939287/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-09-20 Thread Dimitri John Ledkov
xenial autopkgtest regressions explained in
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/comments/13
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/comments/14

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1941904] Re: Check if letsencrypt clients support configuring shorter chains

2021-09-16 Thread Dimitri John Ledkov
** Tags added: letsencryptexpiry

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941904

Title:
  Check if letsencrypt clients support configuring shorter chains

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-certbot/+bug/1941904/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-09-15 Thread Dimitri John Ledkov
bionic autopkgtests are all clean

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-09-15 Thread Dimitri John Ledkov
In xenial systemd autopkgtest only fails with boot-smoke

FAIL: expected: '' actual: '  1 graphical.target start 
waiting
 92 rng-tools.servicestart running
101 systemd-update-utmp-runlevel.service start waiting
  2 multi-user.targetstart waiting'
autopkgtest [09:24:51]: test boot-smoke: ---]
boot-smoke   FAIL non-zero exit status 1

as if timeout is too low / cloud is busy, hence the nested KVM VM boot
is taking longer than expected.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-09-15 Thread Dimitri John Ledkov
On xenial lxc autopkgtest fails with "ERROR: Unable to fetch GPG key
from keyserver." due to using keyserver that is no longer available on
the internet.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-09-15 Thread Dimitri John Ledkov
# dpkg-query -W gnutls-bin libgnutls30
gnutls-bin  3.5.18-1ubuntu1.4
libgnutls30:amd64   3.5.18-1ubuntu1.4

# gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com
Processed 2 CA certificate(s).
Resolving 'expired-root-ca-test.germancoding.com:443'...
Connecting to '2a01:4f8:151:506c::2:443'...
...
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

# faketime 2021-10-01 gnutls-cli canonical.com
Processed 129 CA certificate(s).
Resolving 'canonical.com:443'...
Connecting to '2001:67c:1360:8001::2b:443'...
...
- Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.

Upgrading gnutls
# dpkg-query -W gnutls-bin libgnutls30
gnutls-bin  3.5.18-1ubuntu1.5
libgnutls30:amd64   3.5.18-1ubuntu1.5

# gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com 
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-09-15 Thread Dimitri John Ledkov
# gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com
Processed 2 CA certificate(s).
Resolving 'expired-root-ca-test.germancoding.com'...
Connecting to '2a01:4f8:151:506c::2:443'...
...
- Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

# faketime 2021-10-01 gnutls-cli canonical.com
Processed 129 CA certificate(s).
Resolving 'canonical.com'...
Connecting to '2001:67c:1360:8001::2c:443'...
...
- Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate. 
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

Reproduced original problem, upgraded libgnutls30 and gnutls-bin


# dpkg-query -W libgnutls30 gnutls-bin
gnutls-bin  3.4.10-4ubuntu1.9
libgnutls30:amd64   3.4.10-4ubuntu1.9

Things are good now:

# gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com
Processed 2 CA certificate(s).
Resolving 'expired-root-ca-test.germancoding.com'...
Connecting to '2a01:4f8:151:506c::2:443'...
...
- Status: The certificate is trusted. 
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID: 
53:9C:C7:86:1B:69:79:FC:37:AD:AD:A5:82:11:46:84:4F:B4:46:DC:C1:E7:2E:A9:40:18:6C:8A:B9:4C:B9:7E
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: extended master secret, safe renegotiation, OCSP status request,
- Handshake was completed

# faketime 2021-10-01 gnutls-cli canonical.com
Processed 129 CA certificate(s).
Resolving 'canonical.com'...
Connecting to '2001:67c:1360:8001::2b:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
...
- Status: The certificate is trusted. 
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID: 
71:90:E2:22:86:03:D2:13:17:6E:F1:20:8A:57:B8:E9:FF:0E:07:AB:1E:61:F6:7F:56:43:EF:BF:7A:F3:EF:56
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: extended master secret, safe renegotiation,
- Handshake was completed

All is good. Test website connectivity works, and future connectivity to
canonical.com also works.

xenial is verified.


** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928648

Title:
  expiring trust anchor compatibility issue

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls28/+bug/1928648/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940528] Re: curl 7.68 does not init OpenSSL correctly

2021-09-14 Thread Dimitri John Ledkov
** Changed in: curl (Ubuntu Focal)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940528

Title:
  curl 7.68 does not init OpenSSL correctly

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/curl/+bug/1940528/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940656] Re: Potential use after free bugs in 1.1.1

2021-09-14 Thread Dimitri John Ledkov
** Changed in: openssl (Ubuntu Focal)
   Status: Incomplete => In Progress

** Changed in: openssl (Ubuntu Focal)
 Assignee: (unassigned) => Robie Basak (racb)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940656

Title:
  Potential use after free bugs in 1.1.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940656] Re: Potential use after free bugs in 1.1.1

2021-09-14 Thread Dimitri John Ledkov
I would agree that any hypothetical use-after-free / double-free errors
are usually also security vulnerabilities. But these ones were
discovered with static analysis and/or affecting engine use, in error
conditions only. Thus connectivity must already be failing / denied,
before one can trip these ones up. Not sure if one can further stage an
attack by staging a connection failure, and try to disclose information
from that.

Will ping security team about it.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940656

Title:
  Potential use after free bugs in 1.1.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940656/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921518] Re: OpenSSL "double free" error

2021-09-14 Thread Dimitri John Ledkov
No I'm not able to reproduce the issues anymore. Hence I need detailed
logs from you. Including tracebacks with debug symbols installed, and
strace too. Because I have never seen "bus error" on my side.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921518

Title:
  OpenSSL "double free" error

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1943530] Re: link libkrb5 with openssl

2021-09-14 Thread Dimitri John Ledkov
krb5 (1.13~alpha1+dfsg-1) experimental; urgency=low

  [ Benjamin Kaduk ]
  * New upstream prerelease:
- Add support for accessing KDCs via an https proxy using the MS-KKDCP
  protocol, using a plugin provided by the new krb5-k5tls package, which
  uses openssl for the TLS implementation.  The openssl-using code is
  confined to a separate, runtime-loadable, plugin module, in a separate
  package, to ameliorate concerns about GPL code that links libkrb5 running
  into issues with the openssl license.  The Kerberos license is both
GPL and OpenSSL compatible.  There might be an issue if an application
was GPL licensed and someone used the OpenSSL plugin with that
application.  Even that is probably fine provided that no one
distributes a combination that tends to encourage such usage.  There's
an existing krb5-pkinit plugin that also links to OpenSSL, but at time
of integration into Debian no GPLed applications in the archive called
APIs that would cause that plugin to be loaded.

The above concerns are still valid, and given that currently OpenSSL is
neither GPLv2 or GPLv3 compatible doing this may not be feasible
immediately.

The licensing choices will have to be re-evaluated again, once OpenSSL
v3 is the default OpenSSL implementation in the archive, which is GPLv3
compatible.

** Tags removed: rls-ii-incoming
** Tags added: rls-ii-wontfix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943530

Title:
  link libkrb5 with openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1943530] Re: link libkrb5 with openssl

2021-09-14 Thread Dimitri John Ledkov
** Tags added: rls-ii-incoming rls-jj-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943530

Title:
  link libkrb5 with openssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942806] Re: Unmatched enable poweroff, LEDs, mmap PCI

2021-09-06 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
   * Unable to use gpio-poweroff driver to poweroff via u-boot/opensbi/kernel
   * Unable to use LED colors
   * Unable to mmap PCI resources
  
   * Cherrypick dtb changes from meta-sifive 2021.08 release
  https://github.com/sifive/meta-sifive/tree/2021.08/recipes-
  kernel/linux/files
  
    * Fixup linux kernel to allow using gpio-poweroff driver for poweroff,
  without re-enabling back deprecated OpenSBI v0.1 extensions support
  (CONFIG_RISCV_SBI_V01) Submitted at https://lore.kernel.org/linux-
  riscv/20210907002847.111633-1-dimitri.led...@canonical.com/T/#u
  
  [Test Plan]
  
   * Boot Unmatched board, poweroff, it should poweroff.
  
   * No test case for LEDs (will try to figure it out)
  
   * No test case for mmap PCI resources (needs compatible hardware)
  
  [Where problems could occur]
  
   * DTB changes have already landed in opensbi/u-boot and thus kernel is
  being brought it line with matching support. pm_power_off reboot
  handling will have to change again in the future when support for
  OpenSBI v0.3 system reset extension is added in the kernel. When
  available, it will be used by default with regular power drivers
  probably compiled only as modules.
  
  [Other Info]
  
   * Alternative to taking these patches, poweroff support could be
  enabled by turning back on deprecated OpenSBI v0.1 extensions, which is
  a step backwards. OpenSBI v0.1 will not be available in the future.
+ 
+ https://lists.ubuntu.com/archives/kernel-team/2021-September/123845.html

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942806

Title:
  Unmatched enable poweroff, LEDs, mmap PCI

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-riscv/+bug/1942806/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942806] Re: Unmatched enable poweroff, LEDs, mmap PCI

2021-09-06 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
-  * Unable to use gpio-poweroff driver to poweroff via u-boot/opensbi/kernel
-  * Unable to use LED colors
-  * Unable to mmap PCI resources
+  * Unable to use gpio-poweroff driver to poweroff via u-boot/opensbi/kernel
+  * Unable to use LED colors
+  * Unable to mmap PCI resources
  
-  * Cherrypick dtb changes from meta-sifive 2021.08 release
+  * Cherrypick dtb changes from meta-sifive 2021.08 release
  https://github.com/sifive/meta-sifive/tree/2021.08/recipes-
  kernel/linux/files
  
-   * Fixup linux kernel to allow using gpio-poweroff driver for poweroff,
+   * Fixup linux kernel to allow using gpio-poweroff driver for poweroff,
  without re-enabling back deprecated OpenSBI v0.1 extensions support
  (CONFIG_RISCV_SBI_V01)
  
  [Test Plan]
  
-  * Boot Unmatched board, poweroff, it should poweroff.
+  * Boot Unmatched board, poweroff, it should poweroff.
  
-  * No test case for LEDs (will try to figure it out)
+  * No test case for LEDs (will try to figure it out)
  
-  * No test case for mmap PCI resources (needs compatible hardware)
+  * No test case for mmap PCI resources (needs compatible hardware)
  
  [Where problems could occur]
  
-  * DTB changes have already landed in opensbi/u-boot and thus kernel is
+  * DTB changes have already landed in opensbi/u-boot and thus kernel is
  being brought it line with matching support. pm_power_off reboot
  handling will have to change again in the future when support for
  OpenSBI v0.3 system reset extension is added in the kernel. When
  available, it will be used by default with regular power drivers
  probably compiled only as modules.
  
  [Other Info]
-  
-  * Alternative to taking this patches, poweroff support could be enabled by 
turning back on deprecated OpenSBI v0.1 extensions, which is a step backwards. 
OpenSBI v0.1 will not be available in the future.
+ 
+  * Alternative to taking these patches, poweroff support could be
+ enabled by turning back on deprecated OpenSBI v0.1 extensions, which is
+ a step backwards. OpenSBI v0.1 will not be available in the future.

** Description changed:

  [Impact]
  
   * Unable to use gpio-poweroff driver to poweroff via u-boot/opensbi/kernel
   * Unable to use LED colors
   * Unable to mmap PCI resources
  
   * Cherrypick dtb changes from meta-sifive 2021.08 release
  https://github.com/sifive/meta-sifive/tree/2021.08/recipes-
  kernel/linux/files
  
    * Fixup linux kernel to allow using gpio-poweroff driver for poweroff,
  without re-enabling back deprecated OpenSBI v0.1 extensions support
- (CONFIG_RISCV_SBI_V01)
+ (CONFIG_RISCV_SBI_V01) Submitted at https://lore.kernel.org/linux-
+ riscv/20210907002847.111633-1-dimitri.led...@canonical.com/T/#u
  
  [Test Plan]
  
   * Boot Unmatched board, poweroff, it should poweroff.
  
   * No test case for LEDs (will try to figure it out)
  
   * No test case for mmap PCI resources (needs compatible hardware)
  
  [Where problems could occur]
  
   * DTB changes have already landed in opensbi/u-boot and thus kernel is
  being brought it line with matching support. pm_power_off reboot
  handling will have to change again in the future when support for
  OpenSBI v0.3 system reset extension is added in the kernel. When
  available, it will be used by default with regular power drivers
  probably compiled only as modules.
  
  [Other Info]
  
   * Alternative to taking these patches, poweroff support could be
  enabled by turning back on deprecated OpenSBI v0.1 extensions, which is
  a step backwards. OpenSBI v0.1 will not be available in the future.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942806

Title:
  Unmatched enable poweroff, LEDs, mmap PCI

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-riscv/+bug/1942806/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942806] [NEW] Unmatched enable poweroff, LEDs, mmap PCI

2021-09-06 Thread Dimitri John Ledkov
Public bug reported:

[Impact]

 * Unable to use gpio-poweroff driver to poweroff via u-boot/opensbi/kernel
 * Unable to use LED colors
 * Unable to mmap PCI resources

 * Cherrypick dtb changes from meta-sifive 2021.08 release
https://github.com/sifive/meta-sifive/tree/2021.08/recipes-
kernel/linux/files

  * Fixup linux kernel to allow using gpio-poweroff driver for poweroff,
without re-enabling back deprecated OpenSBI v0.1 extensions support
(CONFIG_RISCV_SBI_V01)

[Test Plan]

 * Boot Unmatched board, poweroff, it should poweroff.

 * No test case for LEDs (will try to figure it out)

 * No test case for mmap PCI resources (needs compatible hardware)

[Where problems could occur]

 * DTB changes have already landed in opensbi/u-boot and thus kernel is
being brought it line with matching support. pm_power_off reboot
handling will have to change again in the future when support for
OpenSBI v0.3 system reset extension is added in the kernel. When
available, it will be used by default with regular power drivers
probably compiled only as modules.

[Other Info]
 
 * Alternative to taking this patches, poweroff support could be enabled by 
turning back on deprecated OpenSBI v0.1 extensions, which is a step backwards. 
OpenSBI v0.1 will not be available in the future.

** Affects: linux-riscv (Ubuntu)
 Importance: Undecided
 Assignee: Dimitri John Ledkov (xnox)
 Status: In Progress

** Changed in: linux-riscv (Ubuntu)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Changed in: linux-riscv (Ubuntu)
   Status: New => In Progress

** Summary changed:

- unmatched 2020.08 enablement
+ Unmatched enable poweroff, LEDs, mmap PCI

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942806

Title:
  Unmatched enable poweroff, LEDs, mmap PCI

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-riscv/+bug/1942806/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939287] Re: dbgsym package is missing for ubuntu focal hwe kernel 5.11

2021-09-06 Thread Dimitri John Ledkov
The security PPA where 5.11.0-27 was built has "build dbgsyms" checked
but not "publish dbgsyms" this seems odd, cause i would think it is
useful to have access to published security ppa dbgsymbols.

Removing debug symbols is not nice. However, surely we can make disk
space savings the other way. For example, we do not need to produce
udebs for the hwe kernels anymore.

And we can experiment with using `Rules-Requires-Root: no` to allow us
building all packages in one go as non-root and without fakeroot.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939287

Title:
  dbgsym package is missing for ubuntu focal hwe kernel 5.11

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-5.11/+bug/1939287/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1939287] Re: dbgsym package is missing for ubuntu focal hwe kernel 5.11

2021-09-06 Thread Dimitri John Ledkov
** Changed in: linux-hwe-5.11 (Ubuntu Focal)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

** Changed in: linux-hwe-5.11 (Ubuntu)
 Assignee: (unassigned) => Dimitri John Ledkov (xnox)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939287

Title:
  dbgsym package is missing for ubuntu focal hwe kernel 5.11

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-hwe-5.11/+bug/1939287/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1938748] Re: test_320_config_arm_pan from ubuntu_qrt_kernel_security failed on F-oracle-5.4 / H-oracle-5.11 ARM64

2021-09-03 Thread Dimitri John Ledkov
Imho we must enabled it, especially for Oracle, since compute nodes may
be shared between multiple tenants.

It would be also interesting to check if the hardware used with this
kernel does not have errata / issues discussed in
https://www.spinics.net/lists/arm-kernel/msg788470.html i.e. that it
disables this protection anyway.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1938748

Title:
  test_320_config_arm_pan from ubuntu_qrt_kernel_security failed on
  F-oracle-5.4 / H-oracle-5.11 ARM64

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1938748/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1940514] Re: It will prompt "Failed to unmount /oldroot" when shutdown or reboot

2021-09-02 Thread Dimitri John Ledkov
With "splash" in cmdline, on shutdown, desktop images start plymouth
with graphical splash on a shutdown TTY such that one should be seeing
animation (and any graphical or text messages should be hidden from the
user). One should be able to use alt-ctrl-arrowkeys to switch back to
tty1 to still see messsages if one desires. Plymouth should continue to
run.

normally on shutdown systemd-shutdown binary is called from the regular
rootfs. It tries to kill and unmount all the things, and after it stops
making any progress, it reexecs systemd-shutdown brinamy from
/run/initramfs/shutdown.

That, in turn, is systemd-shutdown binary, _again_. But this time it has
been performed with pivot root. Meaning the regular rootfs is now
mounted as /oldroot/ and things are held up there.

I wonder if it is plymouth that is hodling up /dev/pts and like udevd
holding up /dev. And if killing those in shutdown hooks is appropriate.
Or for example running plymouth from /run/initramfs, rather than from
rootfs.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940514

Title:
  It will prompt "Failed to unmount /oldroot" when shutdown or reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1940514/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

2021-09-01 Thread Dimitri John Ledkov
# grep CODENAME /etc/os-release 
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

# uname -r
5.11.0-34-generic

dmesg:
[0.797134] blacklist: Loading compiled-in revocation X.509 certificates
[0.797696] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 
61482aa2830d0ab2ad5af10b7250da9033ddcef0'

built-in revocation cert is loaded

[0.806069] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar 
table)
[0.806848] integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate 
Authority: ad91990bc22ab1f517048c23b6655a268e345a63'

mokvar table is available, and is used.

# keyctl list %:.blacklist | grep Canonical
613299796: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot Signing: 
61482aa2830d0ab2ad5af10b7250da9033ddcef0

# keyctl list %:.blacklist | grep bin: | wc
 79 4748853

# mokutil --list-enrolled --mokx
[key 1]
  [SHA-256]
  

Revoked binaries are correctly loaded from MOKvar table, despite not
being mirrored into MokListXRT efi variable.


** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932029] Re: Support builtin revoked certificates

2021-09-01 Thread Dimitri John Ledkov
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/comments/7

** Tags removed: verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

2021-09-01 Thread Dimitri John Ledkov
# uname -r
5.11.0-34-generic

# sudo keyctl list %:.platform
3 keys in keyring:
149920180: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 
2011: a92902398e16c49778cd90f99e4f9ae17c55af53
434591909: ---lswrv 0 0 asymmetric: Canonical Ltd. Master Certificate 
Authority: ad91990bc22ab1f517048c23b6655a268e345a63
404799886: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 
13adbf4309bd82709c8cd54f316ed522988a1bd4

# sudo keyctl list %:.blacklist | grep bin: | wc
 79 4748854

# sudo keyctl list %:.blacklist | grep Canonical
1050199374: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot 
Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0

dmesg

[1.074086] blacklist: Loading compiled-in revocation X.509 certificates
[1.074714] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 
61482aa2830d0ab2ad5af10b7250da9033ddcef0'

[1.084216] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar 
table)
[1.085028] integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate 
Authority: ad91990bc22ab1f517048c23b6655a268e345a63'

MOKvar is available, and used to load Master CA into .platform keyring,
and hashes into blacklist keyring.

** Tags removed: verification-needed-hirsute
** Tags added: verification-done-hirsute

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1932029] Re: Support builtin revoked certificates

2021-09-01 Thread Dimitri John Ledkov
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/comments/6

** Tags removed: verification-needed-hirsute
** Tags added: verification-done-hirsute

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942319] [NEW] When booting with UEFI, mokvar table and %:.platform keyring must be available

2021-09-01 Thread Dimitri John Ledkov
Public bug reported:

When booting with UEFI, mokvar table and %:.platform keyring must be
available

** Affects: linux-kvm (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942319

Title:
  When booting with UEFI, mokvar table and %:.platform keyring must be
  available

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

2021-09-01 Thread Dimitri John Ledkov
Disabled initrd less boot, and installing linux-generic kernel from
proposed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

2021-09-01 Thread Dimitri John Ledkov
Verifying using hirsute:

# uname -r
5.11.0-1014-kvm

# grep CODENAME /etc/os-release 
VERSION_CODENAME=hirsute
UBUNTU_CODENAME=hirsute

# keyctl list %:.blacklist
Can't find 'keyring:.blacklist'

Upgraded kernel:

# uname -r
5.11.0-1015-kvm

# keyctl list %:.blacklist
1 key in keyring:
330780907: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot Signing: 
61482aa2830d0ab2ad5af10b7250da9033ddcef0

In dmesg:
[0.375674] blacklist: Loading compiled-in revocation X.509 certificates
[0.376015] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 
61482aa2830d0ab2ad5af10b7250da9033ddcef0'

No other blacklist hashes got imported, cause they do not appear in
mokvar table nor in MokListRT mirror variable, nor does kvm kernel
appear to have platform keyring... which is very odd cause UEFI db
keys for Microsoft Production PCA 2011 and UEFI CA 2011 are missing.

It seems to me that kvm kernel is a bit broken, and doesn't have support
for mokvar or .platform keyring, which is very bad.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1928648] Re: expiring trust anchor compatibility issue

2021-08-31 Thread Dimitri John Ledkov
** Description changed:

  [Impact]
  
   * gnutls28 fails to talk to letsencrypt website past September 2021,
  despite trusting the letsencrypt root certificate.
  
  [Test Plan]
  
   * Import staging cert equivalent to ISRG Root X1
  https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem
  
   * Import expired staging cert equivalen tto DST Root CA X3
  https://letsencrypt.org/certs/staging/letsencrypt-stg-root-dst.pem
  
   * Test connectivity to the expired-root-ca test website
  https://expired-root-ca-test.germancoding.com
  
  setup:
  
  apt install wget gnutls-bin
  wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem
  wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-dst.pem
  cat letsencrypt-stg-root-x1.pem letsencrypt-stg-root-dst.pem >> ca.pem
  
  test case:
  gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com
  
  bad result:
  - Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate.
  *** PKI verification of server certificate failed...
  *** Fatal error: Error in the certificate.
  *** handshake has failed: Error in the certificate.
  
  good result:
  - Status: The certificate is trusted.
  - Description: 
(TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
  - Session ID: 
A8:2B:AF:85:54:64:3A:79:81:99:16:D4:6D:9A:FC:30:F1:EC:49:A4:09:A9:0C:31:37:38:C2:0E:73:C7:C9:04
  - Options: OCSP status request,
  - Handshake was completed
  
  Connection should be successful and trusted with correctly working
  gnutls client that can manage to ignore expired CA, and build a valid
  trust path using non-expired CA in the chain.
  
  [Where problems could occur]
  
   * Changes as to how the trust paths are built in TLS connection may
  result in introducing bugs (failure to connect to valid sites) and/or
  security vulnerabilities (connecting to invalid sites successfully).
  
  [Other Info]
  
   * Background info
   * The current chain from letsencrypt is expiring, they are adding a new 
chain, but also keeping the expiring one. This will result in connectivity 
issues when using old gnutls/openssl against websites using the default 
letsencrypt configuration after September 2021.
  
  
https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816
  
https://community.letsencrypt.org/t/questions-re-openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143817
  
  Currently gnutls28 in bionic and earlier will not establish a
  connection, if any parts of the trust chain have expired, even though
  alternative non-expired chains are available.
  
  This has been fixed in GnuTLS 3.6.14, but probably should be backported
  to bionic and earlier if it was not already been done so.
  
  https://gitlab.com/gnutls/gnutls/-/issues/1008
  
  https://gitlab.com/gnutls/gnutls/-/merge_requests/1271
  
  Openssl bug report for this issue is
  https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1928989
  
  Bionic packages available from https://launchpad.net/~ci-train-ppa-
- service/+archive/ubuntu/4661/+packages
+ service/+archive/ubuntu/4661
+ 
+ Xenial packages availabel from https://launchpad.net/~ci-train-ppa-
+ service/+archive/ubuntu/4663

** Description changed:

  [Impact]
  
   * gnutls28 fails to talk to letsencrypt website past September 2021,
  despite trusting the letsencrypt root certificate.
  
  [Test Plan]
  
   * Import staging cert equivalent to ISRG Root X1
  https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem
  
   * Import expired staging cert equivalen tto DST Root CA X3
  https://letsencrypt.org/certs/staging/letsencrypt-stg-root-dst.pem
  
   * Test connectivity to the expired-root-ca test website
  https://expired-root-ca-test.germancoding.com
  
  setup:
  
  apt install wget gnutls-bin
  wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-x1.pem
  wget https://letsencrypt.org/certs/staging/letsencrypt-stg-root-dst.pem
  cat letsencrypt-stg-root-x1.pem letsencrypt-stg-root-dst.pem >> ca.pem
  
  test case:
  gnutls-cli --x509cafile=ca.pem expired-root-ca-test.germancoding.com
  
  bad result:
  - Status: The certificate is NOT trusted. The certificate chain uses expired 
certificate.
  *** PKI verification of server certificate failed...
  *** Fatal error: Error in the certificate.
  *** handshake has failed: Error in the certificate.
  
  good result:
  - Status: The certificate is trusted.
  - Description: 
(TLS1.3-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
  - Session ID: 
A8:2B:AF:85:54:64:3A:79:81:99:16:D4:6D:9A:FC:30:F1:EC:49:A4:09:A9:0C:31:37:38:C2:0E:73:C7:C9:04
  - Options: OCSP status request,
  - Handshake was completed
  
  Connection should be successful and trusted with correctly working
  gnutls client that can manage to ignore expired CA, and build a valid
  trust path using non-expired CA in the chain.
  
  [Where problems could occur]
  
   * 

[Bug 1836144] Re: report build full log if failing under autopkgtest

2021-08-31 Thread Dimitri John Ledkov
for failed results, in artifacts, all make.logs are stored and available
for download and inspection.

** Changed in: dkms (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1836144

Title:
  report build full log if failing under autopkgtest

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1836144/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921518] Re: OpenSSL "double free" error

2021-08-27 Thread Dimitri John Ledkov
@Vladimir

This is an improvement.

Previously we were getting: double free or corruption (out)
But now it is: Bus error
So some progress has been made.

Can you please install debug symbols, and generate a complete traceback
with debug symbols? or a core dump with debug symbols? (libcurl4-dbgsym
curl-dbgsym libssl1.1-dbgsym)

Also which libpka are you using? Were debug symbols compiled for it, and
can you share it? Is it just the latest build from github?

I have not previously seen Bus error when debugging this issue => on
arm64 it is usually non-aligned memory access coming from somewhere.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921518

Title:
  OpenSSL "double free" error

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1921518/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1941622] Re: Bump unmatched CPU clock rate to 1.5GHz

2021-08-27 Thread Dimitri John Ledkov
** Changed in: u-boot (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941622

Title:
  Bump unmatched CPU clock rate to 1.5GHz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/u-boot/+bug/1941622/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

  1   2   3   4   5   6   7   8   9   10   >