Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, to fix several security issues in the non-free nvidia-graphics-drivers we need to switch to a new upstream release branch. The 375.xx branch has been discontinued by NVIDIA. Current long-lived branch is 384.xx which is soon superseded by 390.xx which will probably be a new legacy branch (like 304.xx, 340.xx) which has a longer support horizon. At least 390.xx will be the last branch having i386 support. Fixed bugs: * alternatives handling on removal #883637 * don't ship the pre-Linux 2.6 libnvidia-tls.so.* - cannot be used at all #883615 * mitigation for CVE-2017-5753, CVE-2017-5715 (spectre), CVE-2017-5754 (meltdown) on the CPU side * CVE-2017-6266, CVE-2017-6267, CVE-2017-6272 Switching to a new upstream branch comes with a lot of reorganization in this case, causing several new packages to appear (and others to disappear): * wayland now uses an ICD approach as well: libnvidia-egl-wayland -> renamed to libnvidia-egl-wayland1 (plus nvidia-egl-wayland-common and nvidia-egl-wayland-icd added) * nvidia-nonglvnd-vulkan-common and nvidia-nonglvnd-vulkan-icd to fix the separation to the glvnd based vulkan implementation * libnvidia-ptxjitcompiler renamed to libnvidia-ptxjitcompiler1 after upstream decided on a stable SONAME * There are now also new nvidia-driver-libs-nonglvnd(-i386) metapackages to allow easier switching between the glvnd and non-glvnd variants of the libraries, while preventing mixing them in an incompatible way. * libgldispatch0-nvidia has been renamed to libglvnd0-nvidia to match src:libglvnd. * There are also several adjustments regarding to src:libglvnd as it finally ended up in buster - alternative dependencies now use the package names used by src:libglvnd (that's usually lib*gl* were MESA used lib*gl*-mesa, therefore using real packages in buster that were virtual in stretch; at the time of packaging 355-375 I had expected something like lib*gl*-glvnd). The proposed package is effectively the package from stretch-backports with a revised and merged changelog entry. There are only small modifications needed between sid and stretch, just something regarding the different MESA/libglvnd and Vulkan versions. Upgrading from stable and switching between glvnd/non-glvnd has been carefully tested with the packages in stretch-backports. The attached patch has been pruned from noise regarding MISSING symbols (the version where they disappeared had changed from 375.72 to 384 because they also existed in the 381 short lived branch) but contains otherwise the full diff of the debian/ directory. There will be followup requests for updating the complete nvidia stack to new upstream versions, since these programs are free software (but mostly in contrib because only useful for the non-free drivers) and we build them ourselves from separate source packages ignoring the binaries shipped with the binary drivers: nvidia-settings nvidia-xconfig nvidia-modprobe nvidia-persistenced (all are available in stretch-backports) and glx-alternatives for a small bugfix. It's a very big diff this time (therefore sent separately) and I hope, we don't have to repeat this too often :-( Backing out some changes would have produced a package with significantly less testing than what the packages in sid/stretch-backport have seen and I have much more confidence in this proposed upload to stretch that's effectively just a rebuild from sid/stretch-backports. Andreas
