Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: needrest...@packages.debian.org, pmatth...@debian.org Control: affects -1 + src:needrestart
[ Reason ] needrestart, starting with bookworm, supports more microcode checks than before. In particular, it now checks AMD CPUs. The amd64-microcode package seem to ship *less* firmware files than its Intel counterpart, which leads to *many* machines (half a dozen) in our fleet to suddenly start warning us about "UNKNOWN" firmware status. [ Impact ] Spurious warnings lead to alert fatigue and consequently untimely security upgrades, which is the main reason why I'm considering this serious enough to warrant a stable update. [ Tests ] The provided patches were tested in production on a fleet (~50 machines) of Debian bookworm servers on torproject.org. [ Risks ] Code is relatively simple. There's a risk that operators who did *not* install the amd64-microcode package will not get a warning, but that's consider an operator error, and out of scope for this. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [~] the issue is verified as fixed in unstable [ Changes ] There are three patches here: 1. 05-fix-AMD-ucode-checking-in-non-debug-mode.patch - fixes a bug where AMD microcode checks would fail unless -v is passed 2. 06-uCode-fix-uninitialized-value-in-logging-of-processo.patch - fix uninitialized variable error, required for the other patches to work 3. 07-mark-unavailable-firmware-as-CURRENT.patch - do not mark unavailable firmware as "UNKNOWN" The first and second patches have shipped into unstable with the -6 release, the last patch is pending. [ Other info ] anarcat@angela:dist$ debdiff needrestart_3.6-4.dsc needrestart_3.6-4+deb12u1.dsc| diffstat dpkg-source: warning: extracting unsigned source package (/home/anarcat/dist/needrestart_3.6-4+deb12u1.dsc) changelog | 6 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.patch | 33 +++++ patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.patch | 30 ++++ patches/07-mark-unavailable-firmware-as-CURRENT.patch | 61 ++++++++++ patches/series | 3 5 files changed, 133 insertions(+) We might also want to consider updating to the unstable version directly, as the patch is relatively similar, in fact it's currently *smaller* because it's lacking the third patch here: anarcat@angela:dist[1]$ debdiff needrestart_3.6-4.dsc needrestart_3.6-6.dsc | diffstat NEWS | 8 -- changelog | 26 +++++++ control | 1 patches/05-fix-AMD-ucode-checking-in-non-debug-mode.diff | 33 ++++++++++ patches/06-uCode-fix-uninitialized-value-in-logging-of-processo.diff | 30 +++++++++ patches/series | 2 6 files changed, 91 insertions(+), 9 deletions(-)
