Project

General

Profile

Feature #14728

Track security updates during the Tails code freeze

Added by anonym almost 2 years ago. Updated 6 months ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
09/26/2017
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:

Description

This affects:

  1. packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.
  2. packages we override with our custom APT repo, see e.g. #14729 for one instance of this problem

Related issues

Related to Tails - Bug #14729: Fix gdk-pixbuf vulnerability (CVE-2017-2862) Resolved 09/26/2017
Related to Tails - Feature #15524: Iteration 1: Write release process documentation for custom packages Resolved 04/11/2018
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

History

#1 Updated by intrigeri almost 2 years ago

  • Related to Bug #14729: Fix gdk-pixbuf vulnerability (CVE-2017-2862) added

#2 Updated by intrigeri almost 2 years ago

  • Subject changed from Improve tracking of security updates during the freeze to Track security updates during the Tails code freeze
  • Description updated (diff)

#3 Updated by anonym almost 2 years ago

The comment #14729#note-4 is relevant here. In particular, I believe the solution our security tracking woes is to automate it.

#4 Updated by intrigeri almost 2 years ago

A short-term, trivial fix would be to:

#5 Updated by anonym almost 2 years ago

  • Target version changed from Tails_3.3 to Tails_3.5

#6 Updated by anonym over 1 year ago

  • Target version changed from Tails_3.5 to Tails_3.6

#7 Updated by anonym over 1 year ago

  • Target version changed from Tails_3.6 to Tails_3.7

#8 Updated by intrigeri over 1 year ago

Regarding the 1st problem: check the list of packages upgraded between a build from our frozen release branch (stable or testing) and a build from a devel branch (that's unfrozen).

Regarding the 2nd problem: check if any included package has a smaller version that in Debian stable + security. E.g. use the same API as rmadison uses to query the Debian archive.

#9 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.7 to Tails_3.8

#10 Updated by intrigeri over 1 year ago

  • Target version changed from Tails_3.8 to Tails_3.10.1

#11 Updated by u about 1 year ago

  • Assignee changed from anonym to intrigeri

I'm tentatively reassigning this to FT so you can decide what to do with this ticket.

#12 Updated by intrigeri about 1 year ago

  • Assignee changed from intrigeri to anonym

I'm tentatively reassigning this to FT so you can decide what to do with this ticket.

I'd rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.

#13 Updated by intrigeri about 1 year ago

  • Related to Feature #15524: Iteration 1: Write release process documentation for custom packages added

#14 Updated by segfault 11 months ago

This should also include checking for updates of our custom packages for VeraCrypt support (see #15524)

#15 Updated by intrigeri 11 months ago

  • Target version changed from Tails_3.10.1 to Tails_3.11

#16 Updated by anonym 10 months ago

  • Target version changed from Tails_3.11 to Tails_3.12

#17 Updated by anonym 8 months ago

intrigeri wrote:

I'm tentatively reassigning this to FT so you can decide what to do with this ticket.

I'd rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.

I'm still having this ticket on my plate, but I'd love if someone else would take it.

#19 Updated by intrigeri 8 months ago

#20 Updated by intrigeri 8 months ago

  • Assignee deleted (anonym)
  • Target version changed from Tails_3.12 to Tails_3.13

#21 Updated by intrigeri 6 months ago

  • Target version deleted (Tails_3.13)

#22 Updated by intrigeri 6 months ago

#23 Updated by intrigeri 6 months ago

Also available in: Atom PDF