Archive of posts from 2022
Debian LTS work, November 2022
In November I was assigned 24 hours by Freexian's Debian LTS initiative. I worked 9 of those hours and will carry over the remainder.
I updated the linux (4.19) package to the latest stable update, but didn't upload it. I attended the monthly LTS team meeting.
Debian LTS work, October 2022
In October I was not assigned additional time by Freexian's Debian LTS initiative, but carried over 9 hours from September and worked all those hours.
I updated the linux (4.19) package to the latest stable update, but didn't upload it. I merged the latest bullseye security update into the linux-5.10 package, uploaded that, and issued DLA-3173-1.
Debian LTS work, August-September 2022
I have continued to work for Freexian on Debian LTS. In August I carried over 21 hours from July, and worked 13 hours. In September I was assigned an additional 17 hours, and worked 16 hours. I will carry over 9 hours into October.
In August, Debian 10 "buster" entered LTS status. I spent some time on the backport of Linux 5.10 for buster. While this previously existed in buster-backports, further changes were required to add it as an alternative kernel version in buster-security, particularly around code signing. When that was complete, I issued DLA-3102-1.
I also prepared and uploaded an update to the linux (4.19) package. I issued DLA-3131-1 for these changes.
Debian LTS work, July 2022
In July I was assigned 24 hours of work by Freexian's Debian LTS initiative. I worked 3 hours and will carry over the rest to August.
In July, no Debian release was in LTS status. However, I spent some time finishing the DLA text for my upload of linux at the end of June. I also attended the LTS BoF at DebConf and the regular team meeting.
Debian LTS work, June 2022
In June I was not assigned additional hours of work by Freexian's Debian LTS initiative, but carried over 16 hours from May and worked all of those hours.
I spent some time triaging security issues for Linux. I tested several security fixes for Linux 4.9 and 4.19 and submitted them for inclusion in the upstream stable branches.
I rebased the Linux 4.9 (linux) package on the latest stable update (4.9.320), uploaded this and issued the final DLA for stretch, DLA-3065-1.
Debian LTS work, May 2022
In May I was assigned 11 hours of work by Freexian's Debian LTS initiative and carried over 13 hours from April. I worked 8 hours, and will carry over the remaining time to June.
I spent some time triaging security issues for Linux, working out which of them were fixed upstream and which actually applied to the versions provided in Debian 9 "stretch". I rebased the Linux 4.9 (linux) package on the latest stable update, but did not make an upload this month. I started backporting several security fixes to 4.9, but those still have to be tested and reviewed.
Debian LTS work, April 2022
In April I was assigned 16 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from March. I worked 11 hours, and will carry over the remaining time to May.
I spent most of my time triaging security issues for Linux, working out which of them were fixed upstream and which actually applied to the versions provided in Debian 9 "stretch". I also rebased the Linux 4.9 (linux) package on the latest stable update, but did not make an upload this month.
Debian LTS work, March 2022
In March I was assigned 16 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from February. I worked 16 hours, and will carry over the remaining time to April.
I backported the mitigations for Spectre-BHB (CVE-2022-0001, CVE-2022-0002) on x86 processors, to Linux 4.9. I worked together with Salvatore Bonaccorso in preparing the kernel updates that were needed in all suites, and writing advisory text. I uploaded both the linux (4.9) and linux-4.19 packages to stretch, and issued DLA-2940-1 and DLA-2941-1.
I also triaged new issues that were reported later in the month.
Debian LTS work, February 2022
In February I was assigned 16 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from January. I worked 16 hours, and will carry over the remaining time to March.
I spent most of my time triaging security issues for Linux, working out which of them were fixed upstream and which actually applied to the versions provided in Debian 9 "stretch". I also rebased the Linux 4.9 (linux) package on the latest stable update, but did not make an upload this month.
CI for the Debian kernel team
Starting just after Christmas, I have been working on CI for all the kernel team's packages on Salsa. The salsa-ci-team has done great work on producing a common pipeline that is usable for most packages with minimal configuration. However, for some packages a lot more work was required.
Linux
I started with the most important package, linux itself. This now has about 1.1 GiB of source spread over 76,000 source files. That turns out to be a problem for the pipeline which currently puts unpacked source in artifacts - it is far beyond the limits of what Salsa allows. I worked around this by using modified versions of the extract-source and build jobs that use packed source package as the artifacts. The output of the build job is compatible with the common test jobs.
The linux package also takes a lot of resources to build; around 80 minutes on the fastest PC I have at home (if ccache is not primed). Salsa's shared CI runners seem to be about 10 times slower than that, so it is completely unfeasible to do even one full build in CI. Instead I defined a new build profile that includes only the smallest kernel configuration, without debug info, and the user-space packages. This still takes over an hour with the Salsa CI runners, but I don't think we can improve this much without losing a lot of code coverage.
Our Git repository for linux also does not contain the upstream source, so the extract-source job has to fetch that. The common extract-source job uses
origtargz
to do that, and in case the orig tarball is not already in the archive this will runuscan
. That led me to a new problem: ourdebian/watch
file could only find tarballs linked from the front of www.kernel.org, and we're sometimes working with different upstream versions. There is actually no single page listing all tarball releases of Linux, and tarballs for release candidates are dynamically generated by CGit and unsigned. So I changeddebian/watch
to fetch from Git, which is what we were already doing with our owngenorig.py
script.Unfortunately, running
uscan
against a Git upstream, with some files excluded (as there are still a few upstream files we consider non-free), is about twice as slow as it could be. Since I had to modify the extract-source job anyway, I've continued usinggenorig.py
there.A full build log for linux is over 200 MiB, and even with the reduced build profile it would be much longer than Salsa's limit of
24 MiB. I therefore opted to use the 'terse' build option (which translates toV=0
), but made the builds of user-space tools ignore this option so that blhc could still do its work. (The kernel itself cannot use the same hardening options, so blhc is not useful there.)Finally, with the CI pipeline running, blhc and lintian showed a lot of problems that we hadn't been attending to. I've fixed all the blhc errors (with some careful suppressions), all the lintian errors, and the most straightforward lintian warnings.
firmware-nonfree
The firmware-nonfree package also has huge "source" (about 560 MB) and needed some of the same modifications, but is quick to build so did not require a special build profile.
Running lintian over firmware-nonfree reminded me that I needed to sort out the unsuual and inconistent handling of machine-readable copyright information in this source package. I had already done most of that work on a private branch in 2020, so this is mostly ready but I still need to resolve a licensing issue with AppStream metadata.
Other packages
For kernel-handbook, there was already a trivial "CI" pipeline used to push static pages to the web site. I've replaced this with the common pipeline plus a job that will push the pages from each build on the master branch.
For everything else, it was straightforward to enable the common pipeline with a little bit of configuration.
Debian LTS work, January 2022
In January I was assigned 24 hours of work by Freexian's Debian LTS initiative. I worked 16 hours, and will carry over the remaining time to February.
I sent various backported security fixes for Linux to the stable mailing list, and they have been included in subsequent stable releases. I rebased the linux package on the latest 4.9-stable release, but did not yet upload it.
Debian LTS work, December 2021
In December I was assigned 20 hours of work by Freexian's Debian LTS initiative. I worked 16 hours, and the remaining 4 hours cancelled out my over-work in November.
I completed an update to the linux (4.9) package and issued DLA 2843-1.