Re: working for wheezy-security until wheezy-lts starts
Am 13.03.2016 um 04:32 schrieb Brian May: > Brian May writes: > >>> 2. Spend some time on investigating what it takes to backport >>> libav from jessie to wheezy. 11.x is still supported by >>> libav upstream and we could share triage work for jessie/wheezy >>> going forwards. 0.8 has simply too much missing. >>> There will be a few applications which are going to break due to >>> API changes, possibly exclude some exotic ones from wheezy LTS >>> support and backport some fixes for important apps from jessie. >>> (Most of the changes are fairly straightforward, e.g. they renamed >>> lots of internal constants). > > Am I suppose to mark anywhere that I am now working on libav??? Hi Brian, you could add your name to one of the existing TODO items at https://wiki.debian.org/LTS/TODO or create new ones as you see fit. Regards, Markus signature.asc Description: OpenPGP digital signature
Re: working for wheezy-security until wheezy-lts starts
Hi Brian, On Sun, Mar 13, 2016 at 11:13:31AM +1100, Brian May wrote: > Moritz Mühlenhoff writes: > > > 1. We're already one wheezy update behind for xen (since some of > > the changes were invasive and complex). It would be great if > > someone from the Freexian sponsor pool would work on a wheezy > > update for Xen. It's probably a solid day of work, though, but > > it will also clarify whether it's feasible to continue to support > > in Xen in Wheezy LTS (while 4.1 being EOLed by upstream for > > quite a while now). > > So what needs to happen here? Not sure what is meant by "We're already > one wheezy update behind for xen". > > I see wheezy has version 4.1.4-3+deb7u8 - do we need to attempt to > update this to version 4.1.6.1 - the latest 4.1.* version? Looking at http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog and the source package the current practice is to pull in the individual patches. > > If so I imagine this would require: > > - identifying which CVEs are fixed in 4.1.6.1 > - updating xen package > - updating the kernel packages (if this is required??? Not sure if the > kernel code is considered part of the xen release or not anymore) The hypervisor (dom0) is built from Xen sources: https://packages.debian.org/wheezy/xen-hypervisor-4.1-i386 while the PV guests use the "regular" linux kernel https://packages.debian.org/wheezy/xen-linux-system-3.2.0-4-amd64 so I read this that the linux kernel only needs to be updated if guest parts are affected. > and/or do we attempt to backport the security patches from some newer > release? > > I also note that there are a large number of unfixed vulnerabilities for > all versions including sid. > > https://security-tracker.debian.org/tracker/source-package/xen Sid has Xen 4.6 and looking at the CVEs that affect sid the patches don't seem to be applied so the tracker looks correct, there's plenty of work left. Are you going to look at the Wheezy packages? I wonder if somebody can give some hints how current Xen updates are being tested? Since running xen in KVM is works in some KVM/Xen combinations but not others (and doesn't allow for HVM testing). Do we have some test suite? If not I'd set out to build one if we want to support this in LTS. Cheers, -- Guido
Re: tracking security issues without CVEs
On Sat, Mar 12, 2016 at 10:51 PM, Kurt Roeckx wrote: > On Sun, Mar 06, 2016 at 03:33:16PM +1100, Brian May wrote: >> For example, if there are no CVEs are we able to use OVEs instead? > > What abaout DWF? That didn't exist at the time of Brian's post. I think OVE/OVI still have less friction than DWF, you just need to press a button. -- bye, pabs https://wiki.debian.org/PaulWise
Re: working for wheezy-security until wheezy-lts starts
On Sun, Mar 13, 2016 at 12:52:09PM +0100, Guido Günther wrote: > Looking at > > > http://metadata.ftp-master.debian.org/changelogs/main/x/xen/xen_4.1.4-3+deb7u9_changelog > > and the source package the current practice is to pull in the individual > patches. Ack. > I wonder if somebody can give some hints how current Xen updates are > being tested? Since running xen in KVM is works in some KVM/Xen > combinations but not others (and doesn't allow for HVM testing). Do we > have some test suite? If not I'd set out to build one if we want to > support this in LTS. They're being tested on live systems, there's a few volunteers who're running this. I can dig out the contact addresses once the package for wheezy is ready. Cheers, Moritz
