Archive of posts from 2018

• 14 December 2018

  Debian LTS work, November 2018

  I was assigned 20 hours of work by Freexian's Debian LTS initiative and worked all those hours.

  I prepared and released another stable update for Linux 3.16 (3.16.61), but have not yet included this in a Debian upload.

  I updated the firmware-nonfree package to fix security issues in wifi firmware and to provide additional firmware that may be requested by drivers in Linux 4.9. I issued DLA 1573-1 to describe this update.

  I worked on documenting a bug in the installer that delays installation of updates to the kernel. The installer can only be updated as part of a point release, and these are not done after the LTS team takes on responsibility for a release. Laura Arjona drafted an addition to the Errata section of the official jessie installer page and I reviewed this. I also updated the LTS/Installing wiki page.

  I also participated in various discussions on the debian-lts mailing list.

• 31 October 2018

  Debian LTS work, October 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 4 hours from September. I worked all 19 hours.

  I released security updates for the linux (DLA 1529-1) and linux-4.9 (DLA 1531-1) packages. I prepared and released another stable update for Linux 3.16 (3.16.60), but have not yet included this in a Debian upload. I also released a security update for libssh (DLA 1548-1).

• 1 October 2018

  Debian LTS work, September 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 18 hours from July and August. I worked 29 hours and therefore carry over 4 hours to October.

  I prepared and released a stable update for Linux 3.16, and prepared a second stable update (3.16.59) which is now under review. This required substantial work to backport mtitigations for Speculative Store Bypass (CVE-2018-3639) and L1 Terminal Fault (kernel) (CVE-2018-3620), and other changes that they depend on. I also rebased jessie's linux package in preparation to release a security update early in October.

• 13 September 2018

  Debian LTS work, August 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from July. I worked only 5 hours and therefore carried over 18 hours to September.

  I prepared and uploaded updates to the linux-4.9 (DLA 1466-1, DLA 1481-1) and linux-latest-4.9 packages.

• 24 August 2018

  Debian LTS work, July 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 3 hours from June. I worked 10 hours and therefore carried over 8 hours to August.

  I uploaded an update to the linux package with fixes for a large number of security (and other) issues (DLA-1422-1). I had to make a second update to resolve a build failure on armhf (DLA-1422-2).

  Since the "jessie-backports" suite is no longer accepting updates, and there are LTS users depending on the updated kernel (Linux 4.9) there, I added the linux-4.9 (DLA-1423-1) and linux-latest-4.9 (DLA-1424-1) packages to provide an upgrade path for these users. I also updated the linux-base package (DLA-1434-1) to satisfy the dependencies of the new linux-image binary packages.

• 11 July 2018

  Debian LTS work, June 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and worked 12 hours, so I have carried 3 hours over to July. Since Debian 7 "wheezy" LTS ended at the end of May, I prepared for Debian 8 "jessie" to enter LTS status.

  I prepared a stable update of Linux 3.16, sent it out for review, and then released it. I rebased jessie's linux package on this, but didn't yet upload it.

  Since the "jessie-backports" suite is no longer accepting updates, and there are LTS users depending on the updated kernel (Linux 4.9) there, I prepared to add it to the jessie-security suite. The source package I have prepared is similar to what was in jessie-backports, but I have renamed it to "linux-4.9" and disabled building some binary packages to avoid conflicting with the standard linux source package. I also disabled building the "udeb" packages used in the installer, since I don't expect anyone to need them and building them would require updating the "kernel-wedge" package too. I didn't upload this either, since there wasn't a new linux version in "stretch" to backport yet.

• 10 June 2018

  Debian LTS work, May 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and worked all those hours.

  I uploaded the pending changes to linux at the beginning of the month, one of which had been embargoed. I prepared and released another update to the Linux 3.2 longterm stable branch (3.2.102). I then made a final upload of linux based on that.

• 20 May 2018

  Help the Debian kernel team to help you

  I gave the first talk this morning at Mini-DebConf Hamburg, titled "Help the kernel team to help you". I briefly described several ways that Debian users and developers can make it easier (or harder) for us to deal with their requests. The slides are up in on my talks page, and video should be available soon.

• 1 May 2018

  Debian LTS work, April 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 2 hours from March. I worked all 17 hours.

  In support of the "retpoline" mitigation for Spectre variant 2, I added a backport of gcc-4.9 to wheezy (as gcc-4.9-backport), based on work by Roberto Sánchez and on the existing gcc-4.8 backport (gcc-mozilla). I also updated the linux-tools package to support building external modules with retpolines enabled. Finally, I completed an update to the linux package, but delayed uploading it until 1st May due to an embargoed issue.

• 11 April 2018

  Debian LTS work, March 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 2 hours from February. I worked 15 hours and will again carry over 2 hours to April.

  I made another two releases on the Linux 3.2 longterm stable branch (3.2.100 and 3.2.101), the latter including mitigations for Spectre on x86. I rebased the Debian package onto 3.2.101 but didn't upload an update to Debian this month. We will need to add gcc-4.9 to wheezy before we can enable all the mitigations for Spectre variant 2.

• 12 March 2018

  Debian LTS work, February 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and worked 13 hours. I will carry over 2 hours to March.

  I made another release on the Linux 3.2 longterm stable branch (3.2.99) and started the review cycle for the next update (3.2.100). I rebased the Debian package onto 3.2.99 but didn't upload an update to Debian this month.

  I also discussed the possibilities for cooperation between Debian LTS and CIP, briefly reviewed leptonlib for additional security issues, and updated the wiki page about the status of Spectre and Meltdown in Debian.

• 7 February 2018

  Debian LTS work, January 2018

  I was assigned 15 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from December. I worked all these hours.

  I put together and tested a more-or-less complete backport of KPTI/KAISER to Linux 3.2, based on work by Hugh Dickins and several others. This mitigates the Meltdown vulnerability on amd64 (only). I prepared and uploaded an update for wheezy with this and several other security fixes, and issued DLA-1232-1. I also released another update on the Linux 3.2 longterm stable branch (3.2.98), and started work on the next (3.2.99).

• 10 January 2018

  Meltdown and Spectre in Debian

  I'll assume everyone's already heard repeatedly about the Meltdown and Spectre security issues that affect many CPUs. If not, see meltdownattack.com. These primarily affect systems that run untrusted code - such as multi-tenant virtual hosting systems. Spectre is also a problem for web browsers with Javascript enabled.

  Meltdown

  Over the last week the Debian kernel team has worked to mitigate Meltdown in all suites. This mitigation is currently limited to kernels running in 64-bit mode (amd64 architecture), but the issue affects 32-bit mode as well.

  You can see where this mitigation is applied on the security tracker. As of today, wheezy, jessie, jessie-backports, stretch and unstable/sid are fixed while stretch-backports, testing/buster and experimental are not.

  Spectre

  Spectre needs to be mitigated in the kernel, browsers, and potentially other software. Currently the kernel changes to mitigate it are still under discussion upstream. Mozilla has started mitigating Spectre in Firefox and some of these changes are now in Debian unstable (version 57.0.4-1). Chromium has also started mitigating Spectre but no such changes have landed in Debian yet.

• 10 January 2018

  Debian LTS work, December 2017

  I was assigned 14 hours of work by Freexian's Debian LTS initiative, but only worked 6 hours so I carried over 8 hours to January.

  I prepared and uploaded an update to the Linux kernel to fix various security issues. I issued DLA-1200-1 for this update. I also prepared another update on the Linux 3.2 longterm stable branch, though most of that work was done while on holiday so I didn't count the hours. I spent some time following the closed mailing list used to coordinate backports of KPTI/KAISER.

Next year | Previous year