Archive of posts from 2015
-
Comparing dracut and initramfs-tools
initramfs-tools version 0.121~rc2 and dracut version 044+3-2 have moved most of what was in their main binary packages into a 'core' package (dracut-core, initramfs-tools-core), leaving only automation hooks in the main package. The core packages can be coinstalled without conflicts and without creating any initramfs images at installation time.
If you're been wondering how they compare but were afraid to break your system by overwriting your current working initramfs, now is the time to try the other option.
-
What's new in initramfs-tools
I spent much of my Debian time in the last few weeks triaging and fixing bugs in initramfs-tools. All of the important bugs should be fixed, except for two where I needed more information from the submitter.
Due to the scope of these changes and potential for regressions, I've made a release candidate, version 0.121~rc2, rather than a full release. This is now available in experimental, and I would appreciate real-world testing feedback in the next few weeks. (If you're wondering what happened to rc1, that had 'unstable' as the distribution, which I didn't notice until after pushing the tag.)
From the release announcement, the major changes are:
- Split initramfs-tools binary package into core and automation hooks, to allow for coinstallation of the core with other initramfs builders
- Fail at build-time if busybox is wanted but not found
- Rewrite build-time block device sysfs lookup to be generic
- Include modules for all components of a multi-disk device
- Use blkid to resolve LABEL=, UUID=, PARTLABEL= and PARTUUID= block device IDs at boot time, and do this much later
- Change file copying to distinguish executables from other file types and to preserve symlinks
- Run panic scripts just before dropping to a shell
Thanks to Andy Whitcroft, Boris Egorov, Laurent Bigonville, Roger Leigh, Roger Shimizu and Salvatore Bonaccorso for their patches which I applied in this version.
-
Debian LTS work, November 2015
I've now been working on Debian LTS for a full year, so I'm going to stop counting months.
In November, I carried over 5 hours from October and was assigned another 15 hours of work by Freexian's Debian LTS initiative. However, I spent much of the month on sick leave, so I only worked 5 billable hours on Debian LTS plus some unbilled time while on leave.
I had another week in the front desk role, and triaged about 20 new issues. Less than half actually affected packages supported in squeeze-lts, and only about 5 were important.
CVE-2015-5309 in putty had a patch that was fairly easy to backport, so I did that, uploaded and sent DLA 347-1.
I backported several security fixes to linux-2.6 and sent some of those we had already released to Willy Tarreau for inclusion in Linux 2.6.32-longterm. At the end of the month, I reviewed Linux 2.6.32.69-rc1 and found a couple of bugs, leading to an -rc2. I applied that to the linux-2.6 packaging branch for squeeze-lts and spent a little time testing it, thankfully not hitting any regressions.
-
Debian LTS work, October 2015
For my 11th month working on Debian LTS, I carried over 5.5 hours from September and was assigned another 13.5 hours of work by Freexian's Debian LTS initiative. I worked 14 of a possible 19 hours.
-
Debian LTS work, September 2015
For my 10th month working on Debian LTS, I was assigned 14.5 hours of work by Freexian's Debian LTS initiative, but only worked for 9 hours.
Front desk
I had another week in the 'front desk' role, where I triaged new security issues for squeeze. Happily, few of them affected squeeze.
linux-2.6
I reviewed a new upstream stable update, 2.6.32.68, and then applied it to our package once it was released. I backported a further 3 security fixes, uploaded the package and issued DLA-310-1.
binutils
binutils had several buffer overflow bugs to be fixed. They aren't very likely to be exploitable as most users won't be processing untrusted input with binutils. Nevertheless, I backported the fixes from upstream and (early this month) issued DLA-324-1.
-
Debian LTS work, August 2015
This was my ninth month working on Debian LTS. I was assigned 15 hours of work by Freexian's Debian LTS initiative.
-
Securing www.decadent.org.uk
Sven Hoexter replied to my previous entry to say that WoSign also provides free DV TLS certificates. What's more, they allow up to 10 alternate names, unlike StartSSL. So I've gone ahead with a new certificate for www.decadent.org.uk and other virtual servers including git.decadent.org.uk.
WoSign sensibly mandates a key length of 2048 bits, and together with the default TLS configuration for Apache in Debian 'jessie' this resulted in a A- rating from Qualys SSL Server Test.
I then disabled non-PFS and otherwise weak cipher suites in /etc/apache2/mods-enabled/ssl.conf:
SSLCipherSuite HIGH:!aNULL:!kRSA:!3DES
This resulted in an A rating. Finally, I added redirection of all plaintext HTTP connections to HTTP-S (which is easier than working out how to make the virtual server work with and without TLS, anyway). I enabled HSTS for each VirtualHost:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
This resulted in an A+ rating. These web sites will now be inaccessible to Java 6 and IE on Windows XP, but that's no great loss (1 in 1500 hits over the past few weeks).
-
Securing my own blog
Yeah I know, a bit ironic that this isn't available over HTTP-S. I could reuse the mail server certificate to make https://decadent.org.uk/ work...
-
Securing debcheckout of git repositories
Some source packages have Vcs-Git URLs using the git: scheme, which is plain-text and unauthenticated. It's probably harder to MITM than HTTP, but still we can do better than this even for anonymous checkouts. git is now nearly as efficient at cloning/pulling over HTTP-S, so why not make that the default?
-
Securing git imap-send in Debian
I usually send patches from git via git imap-send, which gives me a chance to edit and save them through my regular mail client. Obviously I want to make a secure connection to the IMAP server. The upstream code now supports doing this with OpenSSL, but git is under GPL and it seems that not all relevant contributors have given the extra permission to link with OpenSSL. So in Debian you still need to use an external program to provide a TLS tunnel.
-
Truncating a string in C
This version uses the proper APIs to work with the locale's multibyte encoding (with single-byte encodings being a trivial case of multibyte). It will fail if it encounters an invalid byte sequence (e.g. byte > 127 in the "C" locale), though it could be changed to treat each rejected byte as a single character.
-
DebCamp 2015
I've now spent nearly at week in Heidelberg, attending DebCamp and working on 'kernel stuff'. It's been very sunny and warm here, sometimes uncomfortably so. I've been sitting in a outdoor hacklab - covered but otherwise open to the elements. Right now it is mild and raining, and quite comfortable here.
-
Debian LTS work, July 2015
This was my eighth month working on Debian LTS. I was assigned 14.75 hours of work by Freexian's Debian LTS initiative.
-
Debian LTS work, June 2015
This was my seventh month working on Debian LTS. I was assigned 14.75 hours of work by Freexian's Debian LTS initiative.
-
Debian LTS work, May 2015
This was my sixth month working on Debian LTS. I was assigned 10.5 hours by Freexian's Debian LTS initiative. This was less than in previous months, but I was still able to work on several packages.
-
Debian LTS work, April 2015
This was my fifth month working on Debian LTS. I was assigned 16 hours by Freexian's Debian LTS initiative. I worked on several packages but haven't uploaded updates yet.
-
Call for testing: linux 3.16.7-ckt9-1
As it is nearly time to release Debian 8 (codename jessie), I've uploaded a new version of the Linux kernel to unstable which I hope will be the version to go into the initial release (8.0). The changes from the current version in testing are mostly bug fixes:
-
Debian LTS work, March 2015
This was my fourth month working on Debian LTS. I was assigned 14.5 hours by Freexian's Debian LTS initiative, but I only worked 11.5 as I had a week's holiday and then was ill for part of this week.
-
Debian LTS work, February 2015
This was my third month working on Debian LTS, and the first where I actually uploaded packages. I also worked on userland packages for the first time.
-
Debian LTS work, January 2015
This was my second month working on Debian LTS, paid for by Freexian's Debian LTS initiative via Codethink. I spent 11.75 hours working on the kernel package (linux-2.6) and committed my changes but did not complete an update. I or another developer will probably release an update soon.
I have committed fixes for CVE-2013-6885, CVE-2014-7822, CVE-2014-8133, CVE-2014-8134, CVE-2014-8160 CVE-2014-9419, CVE-2014-9420, CVE-2014-9584, CVE-2014-9585 and CVE-2015-1421. In the process of looking at CVE-2014-9419, I noticed that Linux 2.6.32.y is missing a series of fixes to FPU/MMX/SSE/AVX state management that were made in Linux 3.3 and backported to 3.2.y some time ago. These addressed possible corruption of these registers when switching tasks, although it's less likely to happen in 2.6.32.y. The fix for CVE-2014-9419 depends on them. So I've backported and committed all these changes, but may yet decide that they're too risky to include in the next update.
-
Linux suspend/resume regression in Debian 7.8
There was a regression in Linux 3.2.65, which unfortunately was included in this weekend's Debian stable point release (7.8) as I didn't point out the bug reports to the stable release team. At least some systems are now failing to resume after suspending to RAM; instead they reboot.
I have tracked down the change that caused this, and it should be fixed as part of a security update soon. The change is in code specific to 64-bit x86 (i.e. the Debian amd64 architecture). If you need suspend/resume to work, you might wish to avoid upgrading the linux-image-3.2.0-4-amd64 package until that future update.
Update: I have uploaded packages with the problematic changes reverted to people.debian.org. The version number is 3.2.65-1+deb7u1~test (lower than the next security update will be). Mail 774436@bugs.debian.org if this doesn't work for you.
-
Debian LTS work, December 2014
This was my first month working on Debian LTS. My first project at Codethink was winding down, so Freexian's Debian LTS initiative was able to hire me via Codethink. I spent all of the assigned 11.5 hours working on an update to the kernel package (linux-2.6, version 2.6.32-48squeeze9).