Email: firstname.lastname@example.org • Twitter: @benhutchingsuk • Debian: benh • Gitweb: git.decadent.org.uk • Github: github.com/bwhacks
I was assigned 18 hours of work by Freexian's Debian LTS initiative and worked all those hours this month.
I released Linux 3.16.66, and then prepared and released Linux 3.16.67 with a small number of fixes. I backported the updated Linux 4.9 packages from Debian 9.9, uploaded them and issued DLA-1771.
I had a little advance notice of the MDS speculative execution flaws, and started backporting the mitigations for these to older stable branches, starting with a version for Linux 4.14. I backported to 4.9 (Debian stretch/jessie) first, then to 4.4 (CIP) and 3.16 (Debian jessie). The charge for this time was accordingly split between CIP and Freexian.
I backported the security update for Linux 4.9 from stretch to jessie and issued DLA-1787.
The backport of mitigations to Linux 3.16 took longest to finish, as the x86 kernel exit path was substantially rewritten between 3.16 and 4.4. I needed to apply the mitigation in multiple assembly-language routines rather then a single C function, and before that I needed to backport support for static_branch patching in assembly-language source files. I sent the changes out for review and testing as Linux 3.16.68-rc1, and as Debian packages on people.debian.org. Since no problems were found, I released Linux 3.16.68, uploaded updated packages, and issued DLA-1799.
I was assigned 17.25 hours of work by Freexian's Debian LTS initiative and carried over 14 hours from March. I worked all 31.25 hours this month.
I uploaded firmware-nonfree with Emilio Pozuelo Monfort's changes, and issued DLA-1747-1.
I made a stable update to Linux 3.16 (3.16.65) and rebased the Debian package on top of this. I built and uploaded packages for testing, to reduce the risk of an uncaught regression in the next update to jessie. I prepared the next stable update (3.16.66), which is currently out for review.
I merged changes from stretch's linux package into linux-4.9, and from linux-latest into linux-latest-4.9. I built and uploaded these and prepared a DLA. However, linux-4.9 is currently waiting in the NEW queue because it includes an ABI bump.
I was assigned 20 hours of work by Freexian's Debian LTS initiative and carried over 16.5 hours from February. I worked 22.5 hours and so will carry over 14 hours.
I merged changes from stretch's linux package into the linux-4.9 package, uploaded that, and issued DLA-1715. I made another stable update to Linux 3.16 (3.16.64). I then rebased Debian's linux package on that version, uploaded it, and issued DLA-1731. This unfortunately introduced a regression, which I fixed in a second update.
I also reviewed and merged Emilio Pozuelo Monfort's changes to the firmware-nonfree package to address CVE-2018-5383.
I was assigned 19.5 hours of work by Freexian's Debian LTS initiative and carried over 1 hour from January. I worked only 4 hours and so will carry over 16.5 hours.
I backported various security fixes to Linux 3.16, but did not upload a new release yet.
I was assigned 20 hours of work by Freexian's Debian LTS initiative and carried over 5 hours from December. I worked 24 hours and so will carry over 1 hour.
I prepared another stable update for Linux 3.16 (3.16.63), but did not upload a new release yet.
I also raised the issue that the installer images for Debian 8 "jessie" would need to be updated to include a fix for CVE-2019-3462.