Secure testing team - Mar 2006 - Moving forward with the 2.4.27 and 2.6.8 kernels

* Horms wrote:
> 2. 2.6.8-16sarge1 for stable-security  
> 3. 2.4.27-10sarge1 for stable-security  
Builds finished on alpha.

Norbert

Hi,

Here is my proposal for the immediate future of 2.4.27 and 2.6.8. 
I''m pretty comforatble with the shape of both of them in SVN,
and its probably a good time to think about some releases -
security bugs keep coming in all the time, but I really think
we have to draw a line in the sand and make a release.

To get this ball rolling I plan to release kernel-source-2.4.27
2.4.27-11 and kernel-image-2.4.27-i386 2.4.27-11 into unstable tomorrow.
This is tagged in SVN, and I have made the packages available at
http://packages.vergenet.net/pending/ (i386 still building, will
be available soon). I will upload to unstable tomorrow if there
are no objections.  Other architecture maintainers, now would be a good
time to either kick of a build, of file a bug with the ftp maintainers
to have your arch''s 2.4.27 kernel removed from Sid. This has already
been done for powerpc.

On the topic of Sid, I think we need to keep 2.4.27 there for now.
I''ve been told that the s390 installer works it, and its needed
for some m68k flavours (mac users who want a working keyboard IRRC).
In any case Christoph Hellwig pointed out that as long as its
just a matter of recompiling the sarge kernel, its not much of a bother.

So for now, the most up to date 2.4.27 is going to be in Sid, and sarge
updates can be cherry-picked from there. And as I mentioned above,
arches whose upstream has abandoned 2.4 (like powerpc) should be removed
from Sid.

2.6.8 will be removed from Sid shortly, so it might be appropriate
to use volatile to make new 2.6.8 kernels available. But I''d rather
just use volatile for 2.6.12, which seems more in the spirit of
volatile, and just make proposed-updates and proposed-secrity-updates
for 2.6.8. Anyone with input on what queues to use, please, lets
discuss that here.

Back to releases. After 2.4.27-11 is out, which should be very soon,
I would like to take what we have in SVN for both 2.6.8 and 2.4.27,
strip out all the non-security patches since Sarge (2.6.8-16 and
2.4.27-10) and make a security release. When I say strip out, I
mean comment out the changelog line and the patch entry in the
series file. Thats all. There doesn''t seem any reason to hide
other changes that have been included in SVN. Nor any reason
not to include the patches in the release - even if they aren''t
applied.
In short, this should make producing a security release a simple matter
of reading the changelog, adding a dozen or so # characters,
tagging and building. 

Of course as many arches need to do builds as possible. And as I
mentioned above, I am a little unsure about what queue to use for
security updates. Which is why I am writing this message.

After all of that I''d like to look at getting some packages together
for a Sarge update (i.e. Sarge r1). Thats probably just a matter
of uploadin to the right queue. Though it would be nice to know
about what the planned timing for releasing r1 is, as it would
be nice to make sure a kernel came out a bit before the release.

-- 
Horms

On Tue, Aug 16, 2005 at 01:22:02PM -0600, dann frazier
wrote:
> On Tue, 2005-08-16 at 15:31 +0900, Horms wrote:
> > Hi,
> > 
> > Here is my proposal for the immediate future of 2.4.27 and 2.6.8. 
> > I''m pretty comforatble with the shape of both of them in SVN,
> > and its probably a good time to think about some releases -
> > security bugs keep coming in all the time, but I really think
> > we have to draw a line in the sand and make a release.
> > 
> > To get this ball rolling I plan to release kernel-source-2.4.27
> > 2.4.27-11 and kernel-image-2.4.27-i386 2.4.27-11 into unstable
tomorrow.
> > This is tagged in SVN, and I have made the packages available at
> > http://packages.vergenet.net/pending/ (i386 still building, will
> > be available soon). 
> 
> I see 2.6.8-16sarge1 there, but not 2.4.27.
> Are you wanting us to builds against 2.6.8-16sarge1?  And if so, should
> we be building in a pristine sarge environment and targeting
> stable-security (vs. unstable)?
Yes, I''ve done 2.6.8-16sarge1, but ran out of day before
I got to 2.4.27-10sarge1. I''ll try and make that happen today
or tomorrow.
> Are you wanting us to builds against 2.6.8-16sarge1?  And if so,
> should
> we be building in a pristine sarge environment and targeting
> stable-security (vs. unstable)?
Yes, please.

Hopefully the security team will let us know the best way
to make these updates available to them - I susbequently
read up on queues and see that DDs are explicitily asked
not to upload to the security updates quese without the
ok from the security team. Hopefully they can give us an ok,
but In the mean time perhaps getting our packages up on 
people.debian.org would be a good idea. We could even start
passing URLs around for people who want to get their hands on
the packages.
> The rest of this message leads me to believe this is only a call for
> 2.4.27/unstable builds.
Sorry if this was a bit unclear. Basically I am calling for three builds.

1. 2.4.27-11 for unstable  
   - source packages now up on http://packages.vergenet.net/pending/
   - I will upload source and i386 today
   - If your arch should have 2.4.27 removed from unstable, make that so

2. 2.6.8-16sarge1 for stable-security  
   - source packages now up on http://packages.vergenet.net/pending/
   - need feedback from security team on how to coordinate this release
   - please make packages available and publish a URL in the mean time,
     perhaps on people.debian.org

3. 2.4.27-10sarge1 for stable-security  
   - source packages not prepared yet. I hope to do that today
   - need feedback from security team on how to coordinate this release

-- 
Horms

On Tue, 2005-08-16 at 15:31 +0900, Horms wrote:
> Hi,
> 
> Here is my proposal for the immediate future of 2.4.27 and 2.6.8. 
> I''m pretty comforatble with the shape of both of them in SVN,
> and its probably a good time to think about some releases -
> security bugs keep coming in all the time, but I really think
> we have to draw a line in the sand and make a release.
> 
> To get this ball rolling I plan to release kernel-source-2.4.27
> 2.4.27-11 and kernel-image-2.4.27-i386 2.4.27-11 into unstable tomorrow.
> This is tagged in SVN, and I have made the packages available at
> http://packages.vergenet.net/pending/ (i386 still building, will
> be available soon). 
I see 2.6.8-16sarge1 there, but not 2.4.27.
Are you wanting us to builds against 2.6.8-16sarge1?  And if so, should
we be building in a pristine sarge environment and targeting
stable-security (vs. unstable)?

The rest of this message leads me to believe this is only a call for
2.4.27/unstable builds.

On Wed, Aug 17, 2005 at 02:16:01PM +0900, Horms wrote:
> On Wed, Aug 17, 2005 at 11:06:59AM +0900, Horms wrote:
> > On Tue, Aug 16, 2005 at 01:22:02PM -0600, dann frazier wrote:
> 
> [snip]
> 
> > > The rest of this message leads me to believe this is only a call
for
> > > 2.4.27/unstable builds.
> > 
> > Sorry if this was a bit unclear. Basically I am calling for three
builds.
> > 
> > 1. 2.4.27-11 for unstable  
> >    - source packages now up on http://packages.vergenet.net/pending/
> >    - I will upload source and i386 today
> 
>        I have uploaded source and i386 to unsable now.
>        There will be no powerpc upload as it is scheduled for removal from
Sid.
> 
> >    - If your arch should have 2.4.27 removed from unstable, make that
so
> > 
> > 2. 2.6.8-16sarge1 for stable-security  
> >    - source packages now up on http://packages.vergenet.net/pending/
> 
>        i386 and powerpc packages are also available now
> 
> >    - need feedback from security team on how to coordinate this
release
> >    - please make packages available and publish a URL in the mean
time,
> >      perhaps on people.debian.org
> > 
> > 3. 2.4.27-10sarge1 for stable-security  
> >    - source packages not prepared yet. I hope to do that today
> 
>        I am working on this now
       - source, i386 and powerpc images are now up on 
         http://packages.vergenet.net/pending/
	 
	 Sorry this took a bit longer than expected. I had the source
	 packages ready last night, but forgot to upload them.
> >    - need feedback from security team on how to coordinate this
release
-- 
Horms

On Fri, 2005-08-19 at 09:30 +0200, Norbert Tretkowski
wrote:
> * Horms wrote:
> > 2. 2.6.8-16sarge1 for stable-security  
> > 3. 2.4.27-10sarge1 for stable-security  
> 
I can do sparc builds mid-next-week; probably not before then, unless
someone can make (reasonably fast) hardware available to me.

On Thu, Aug 18, 2005 at 12:55:24AM -0700, Steve Langasek
wrote:
> Hi Horms,
> 
> The plans you''ve described all sound good.  I''m glad to
see some
> movement on the question of kernel updates for sarge.
> 
> On Tue, Aug 16, 2005 at 03:31:21PM +0900, Horms wrote:
> 
> > Back to releases. After 2.4.27-11 is out, which should be very soon,
> > I would like to take what we have in SVN for both 2.6.8 and 2.4.27,
> > strip out all the non-security patches since Sarge (2.6.8-16 and
> > 2.4.27-10) and make a security release. When I say strip out, I
> > mean comment out the changelog line and the patch entry in the
> > series file. Thats all. There doesn''t seem any reason to hide
> > other changes that have been included in SVN. Nor any reason
> > not to include the patches in the release - even if they
aren''t applied.
> > In short, this should make producing a security release a simple
matter
> > of reading the changelog, adding a dozen or so # characters,
> > tagging and building. 
> 
> You''ll have to get the security team''s ok on this,
though; I understand
> that you''re coming from the position of wanting it to be easy to
build
> these security updates off of the current tree, but the security team is
> definitely going to be coming at it from the other direction -- wanting
> to have a handle on what the differences are compared with the current
> stable package.
All the patches are broken out. So just because a patch is presant,
doesn''t mean its applied. And if it isn''t applied, then it
isn''t
included in the code that is build. But I can understand that the
security team might be more comfortable in ommitting the patches.

Obviously the security team needs to be involved. However
CCing them on emails seems largely fruitless. Do you have
any ideas on how to work with them to make this release happen?
It is becoming quite frustrating to say the least.
> > Of course as many arches need to do builds as possible. And as I
> > mentioned above, I am a little unsure about what queue to use for
> > security updates. Which is why I am writing this message.
> 
> I think I saw that you figured this out in a later message, but just to
> confirm, the builds will need to go to the stable-security queue on
> security.debian.org, and need to be approved by the security team
> before being uploaded.
Yeah, I read up on that after I sent this message.
> > After all of that I''d like to look at getting some packages
together
> > for a Sarge update (i.e. Sarge r1). Thats probably just a matter
> > of uploadin to the right queue. Though it would be nice to know
> > about what the planned timing for releasing r1 is, as it would
> > be nice to make sure a kernel came out a bit before the release.
> 
> Yes, for this you should be able to upload to the "stable" queue
on
> ftp-master.debian.org at any time.  Your r1 updates should have a later
> version number than your proposed security updates, so that the one with
> the more complete set of fixes takes precedence.  As far as a schedule
> for r1, you''d need to ask Joey Schulze.
Ok, I''ve CCed him on this mail to try and get his attention.



-- 
Horms

* Norbert Tretkowski wrote:
> * Horms wrote:
> > 2. 2.6.8-16sarge1 for stable-security  
> > 3. 2.4.27-10sarge1 for stable-security  
> 
> Builds finished on alpha.
http://people.debian.org/~nobse/kernel/alpha/sarge/

Norbert

On Thu, 2005-08-18 at 10:54 +0900, Horms wrote:
> > > 3. 2.4.27-10sarge1 for stable-security  
> > >    - source packages not prepared yet. I hope to do that today
> > 
> >        I am working on this now
> 
>        - source, i386 and powerpc images are now up on 
>          http://packages.vergenet.net/pending/
> 	 
> 	 Sorry this took a bit longer than expected. I had the source
> 	 packages ready last night, but forgot to upload them.
ia64 builds available here: 
  http://people.debian.org/~dannf/kernel/ia64/2.4.27/

Note that I plan to request 2.4.27/ia64''s removal once I have time to
remove d-i''s dependency upon it.

On Fri, 2005-08-19 at 10:21 -0400, Andres Salomon wrote:
> On Fri, 2005-08-19 at 09:30 +0200, Norbert Tretkowski wrote:
> > * Horms wrote:
> > > 2. 2.6.8-16sarge1 for stable-security  
> > > 3. 2.4.27-10sarge1 for stable-security  
> > 
> 
> I can do sparc builds mid-next-week; probably not before then, unless
> someone can make (reasonably fast) hardware available to me.
I''ve got a 2.6.8 going on a slow sparc - I predict it will be done in
2-3 days.  Changes are committed.

On Wed, 2005-08-17 at 11:06 +0900, Horms wrote:
> 2. 2.6.8-16sarge1 for stable-security  
>    - source packages now up on http://packages.vergenet.net/pending/
>    - need feedback from security team on how to coordinate this release
>    - please make packages available and publish a URL in the mean time,
>      perhaps on people.debian.org
fyi, ia64 build available here:
  http://people.debian.org/~dannf/kernel/ia64/2.6.8/

On Thu, 2005-08-18 at 18:51 +0900, Horms wrote:
[...]
> Obviously the security team needs to be involved. However
> CCing them on emails seems largely fruitless. Do you have
> any ideas on how to work with them to make this release happen?
> It is becoming quite frustrating to say the least.
> 

My recommendation is to join the security team.   :D

Hello,

AMD64 builds for both i386 and AMD64 are available here:

http://amd64.debian.net/~fs/2.6.8-16sarge1/

best regards
Frederik Schueler

-- 
ENOSIG
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050818/a7314772/attachment.pgp

On Tue, Aug 16, 2005 at 03:31:22PM +0900, Horms wrote:
> 
> On the topic of Sid, I think we need to keep 2.4.27 there for now.
> I''ve been told that the s390 installer works it, and its needed
> for some m68k flavours (mac users who want a working keyboard IRRC).
Mac users who want a working keyboard have to use 2.2.25, there is no
working 2.4.x kernel for Mac, where as 2.6.12 boots, works, but does not
allow you to use keyboard or mouse. 

2.4.27 is needed on m68k for all but Amiga it seems, since Amiga is the only
flavour that works with 2.6, afaik. I have reports, that MVME167 and Atari
do not work, I would not wonder if the other VME flavours have difficulties,
too. No reports so far for Q40, Sun3, or HP, but if the other flavours were
fixed, I wouldn''t mind ignoring the unknown flavours.

Christian

On Tue, Aug 16, 2005 at 03:31:21PM +0900, Horms wrote:
> Hi,
> 
> Here is my proposal for the immediate future of 2.4.27 and 2.6.8. 
> I''m pretty comforatble with the shape of both of them in SVN,
> and its probably a good time to think about some releases -
> security bugs keep coming in all the time, but I really think
> we have to draw a line in the sand and make a release.
> 
> To get this ball rolling I plan to release kernel-source-2.4.27
> 2.4.27-11 and kernel-image-2.4.27-i386 2.4.27-11 into unstable tomorrow.
> This is tagged in SVN, and I have made the packages available at
> http://packages.vergenet.net/pending/ (i386 still building, will
> be available soon). I will upload to unstable tomorrow if there
> are no objections.  Other architecture maintainers, now would be a good
> time to either kick of a build, of file a bug with the ftp maintainers
> to have your arch''s 2.4.27 kernel removed from Sid. This has
already
> been done for powerpc.
The 2.4.27-11 i386 packages are now available.
> On the topic of Sid, I think we need to keep 2.4.27 there for now.
> I''ve been told that the s390 installer works it, and its needed
> for some m68k flavours (mac users who want a working keyboard IRRC).
> In any case Christoph Hellwig pointed out that as long as its
> just a matter of recompiling the sarge kernel, its not much of a bother.
> 
> So for now, the most up to date 2.4.27 is going to be in Sid, and sarge
> updates can be cherry-picked from there. And as I mentioned above,
> arches whose upstream has abandoned 2.4 (like powerpc) should be removed
> from Sid.
> 
> 2.6.8 will be removed from Sid shortly, so it might be appropriate
> to use volatile to make new 2.6.8 kernels available. But I''d
rather
> just use volatile for 2.6.12, which seems more in the spirit of
> volatile, and just make proposed-updates and proposed-secrity-updates
> for 2.6.8. Anyone with input on what queues to use, please, lets
> discuss that here.
> 
> Back to releases. After 2.4.27-11 is out, which should be very soon,
> I would like to take what we have in SVN for both 2.6.8 and 2.4.27,
> strip out all the non-security patches since Sarge (2.6.8-16 and
> 2.4.27-10) and make a security release. When I say strip out, I
> mean comment out the changelog line and the patch entry in the
> series file. Thats all. There doesn''t seem any reason to hide
> other changes that have been included in SVN. Nor any reason
> not to include the patches in the release - even if they aren''t
applied.
> In short, this should make producing a security release a simple matter
> of reading the changelog, adding a dozen or so # characters,
> tagging and building. 
I have started a security branch in branches/dist/sarge-security.
Feel free to move this if it is the wong place.

In there I have seeded i386, powerpc and source for 2.6.8 (-16sarge1).
I have made built source packages and made them available
in http://packages.vergenet.net/pending/ Please review and check
arch builds. I haven''t taged yet, that can wait until tomorrow
(I''m really tired and need to go home).

I am currently building i386 and powerpc. I will let you know how
this goes. 

I will also try and get 2.4.27-10sarge1 happening tomorrow.
> Of course as many arches need to do builds as possible. And as I
> mentioned above, I am a little unsure about what queue to use for
> security updates. Which is why I am writing this message.
> 
> After all of that I''d like to look at getting some packages
together
> for a Sarge update (i.e. Sarge r1). Thats probably just a matter
> of uploadin to the right queue. Though it would be nice to know
> about what the planned timing for releasing r1 is, as it would
> be nice to make sure a kernel came out a bit before the release.
-- 
Horms

Hi Horms,

The plans you''ve described all sound good.  I''m glad to see
some
movement on the question of kernel updates for sarge.

On Tue, Aug 16, 2005 at 03:31:21PM +0900, Horms wrote:
> Back to releases. After 2.4.27-11 is out, which should be very soon,
> I would like to take what we have in SVN for both 2.6.8 and 2.4.27,
> strip out all the non-security patches since Sarge (2.6.8-16 and
> 2.4.27-10) and make a security release. When I say strip out, I
> mean comment out the changelog line and the patch entry in the
> series file. Thats all. There doesn''t seem any reason to hide
> other changes that have been included in SVN. Nor any reason
> not to include the patches in the release - even if they aren''t
applied.
> In short, this should make producing a security release a simple matter
> of reading the changelog, adding a dozen or so # characters,
> tagging and building. 
You''ll have to get the security team''s ok on this, though; I
understand
that you''re coming from the position of wanting it to be easy to build
these security updates off of the current tree, but the security team is
definitely going to be coming at it from the other direction -- wanting
to have a handle on what the differences are compared with the current
stable package.
> Of course as many arches need to do builds as possible. And as I
> mentioned above, I am a little unsure about what queue to use for
> security updates. Which is why I am writing this message.
I think I saw that you figured this out in a later message, but just to
confirm, the builds will need to go to the stable-security queue on
security.debian.org, and need to be approved by the security team
before being uploaded.
> After all of that I''d like to look at getting some packages
together
> for a Sarge update (i.e. Sarge r1). Thats probably just a matter
> of uploadin to the right queue. Though it would be nice to know
> about what the planned timing for releasing r1 is, as it would
> be nice to make sure a kernel came out a bit before the release.
Yes, for this you should be able to upload to the "stable" queue on
ftp-master.debian.org at any time.  Your r1 updates should have a later
version number than your proposed security updates, so that the one with
the more complete set of fixes takes precedence.  As far as a schedule
for r1, you''d need to ask Joey Schulze.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050818/44ab46bd/attachment.pgp

On Wed, Aug 17, 2005 at 11:06:59AM +0900, Horms wrote:
> On Tue, Aug 16, 2005 at 01:22:02PM -0600, dann frazier wrote:
[snip]
> > The rest of this message leads me to believe this is only a call for
> > 2.4.27/unstable builds.
> 
> Sorry if this was a bit unclear. Basically I am calling for three builds.
> 
> 1. 2.4.27-11 for unstable  
>    - source packages now up on http://packages.vergenet.net/pending/
>    - I will upload source and i386 today
       I have uploaded source and i386 to unsable now.
       There will be no powerpc upload as it is scheduled for removal from Sid.
>    - If your arch should have 2.4.27 removed from unstable, make that so
> 
> 2. 2.6.8-16sarge1 for stable-security  
>    - source packages now up on http://packages.vergenet.net/pending/
       i386 and powerpc packages are also available now
>    - need feedback from security team on how to coordinate this release
>    - please make packages available and publish a URL in the mean time,
>      perhaps on people.debian.org
> 
> 3. 2.4.27-10sarge1 for stable-security  
>    - source packages not prepared yet. I hope to do that today
       I am working on this now
>    - need feedback from security team on how to coordinate this release
-- 
Horms

On Fri, 2005-08-19 at 14:00 -0600, dann frazier wrote:
> On Fri, 2005-08-19 at 10:21 -0400, Andres Salomon wrote:
> > On Fri, 2005-08-19 at 09:30 +0200, Norbert Tretkowski wrote:
> > > * Horms wrote:
> > > > 2. 2.6.8-16sarge1 for stable-security  
> > > > 3. 2.4.27-10sarge1 for stable-security  
> > > 
> > 
> > I can do sparc builds mid-next-week; probably not before then, unless
> > someone can make (reasonably fast) hardware available to me.
> 
> I''ve got a 2.6.8 going on a slow sparc - I predict it will be done
in
> 2-3 days.  Changes are committed.
Frans Pop hooked me up w/ access to a faster sparc; build ETA greatly
shortened.  I should be able to get 2.4.27 done as well.

On Fri, 2005-08-19 at 15:00 -0600, dann frazier wrote:
> On Fri, 2005-08-19 at 14:00 -0600, dann frazier wrote:
> > On Fri, 2005-08-19 at 10:21 -0400, Andres Salomon wrote:
> > > On Fri, 2005-08-19 at 09:30 +0200, Norbert Tretkowski wrote:
> > > > * Horms wrote:
> > > > > 2. 2.6.8-16sarge1 for stable-security  
> > > > > 3. 2.4.27-10sarge1 for stable-security  
> > > > 
> > > 
> > > I can do sparc builds mid-next-week; probably not before then,
unless
> > > someone can make (reasonably fast) hardware available to me.
> > 
> > I''ve got a 2.6.8 going on a slow sparc - I predict it will be
done in
> > 2-3 days.  Changes are committed.
> 
> Frans Pop hooked me up w/ access to a faster sparc; build ETA greatly
> shortened.  I should be able to get 2.4.27 done as well.
sparc 2.6.8 build here:
  http://people.debian.org/~dannf/kernel/sparc/2.6.8/

2.4.27 is building.

On Mon, 2005-08-22 at 11:58 -0600, dann frazier wrote:
> On Fri, 2005-08-19 at 15:00 -0600, dann frazier wrote:
> > On Fri, 2005-08-19 at 14:00 -0600, dann frazier wrote:
> > > On Fri, 2005-08-19 at 10:21 -0400, Andres Salomon wrote:
> > > > On Fri, 2005-08-19 at 09:30 +0200, Norbert Tretkowski wrote:
> > > > > * Horms wrote:
> > > > > > 2. 2.6.8-16sarge1 for stable-security  
> > > > > > 3. 2.4.27-10sarge1 for stable-security  
> > > > > 
> > > > 
> > > > I can do sparc builds mid-next-week; probably not before
then, unless
> > > > someone can make (reasonably fast) hardware available to me.
> > > 
> > > I''ve got a 2.6.8 going on a slow sparc - I predict it
will be done in
> > > 2-3 days.  Changes are committed.
> > 
> > Frans Pop hooked me up w/ access to a faster sparc; build ETA greatly
> > shortened.  I should be able to get 2.4.27 done as well.
> 
> sparc 2.6.8 build here:
>   http://people.debian.org/~dannf/kernel/sparc/2.6.8/
> 
> 2.4.27 is building.
And done:
  http://people.debian.org/~dannf/kernel/sparc/2.4.27