Project

General

Profile

Feature #14999

Upgrade to Stretch 9.3

Added by intrigeri almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
11/25/2017
Due date:
% Done:

100%

Feature Branch:
feature/14999-Stretch-9.3
Type of work:
Research
Blueprint:
Starter:
Affected tool:

Description

Stretch 9.3 will be released on December 9th and Linux 4.14 should be uploaded to sid late November. If either one brings interesting updates, we should consider bumping our APT snapshots. We'll have 1.5 months to do QA so it does not seem crazy. We have tools and processes to do either one of these updates independently from each other, but by default they go together so let's first handle them as one. We did such an update for 3.3 (bugfix release as well) and it went fine AFAIK, e.g. the Linux 4.13 update fixed some hardware support and I was not reported any regression.


Related issues

Related to Tails - Bug #14786: Can't change resolution under KVM with QXL Resolved 10/04/2017
Blocks Tails - Feature #13244: Core work 2017Q4: Foundations Team Resolved 06/29/2017
Blocks Tails - Feature #14976: Upgrade the Linux kernel to get KPTI Resolved 11/17/2017

Associated revisions

Revision 6c23dc58 (diff)
Added by intrigeri almost 2 years ago

Update Debian APT snapshots to 2017120903 (refs: #14999)

Revision 5d5a2fc5
Added by anonym almost 2 years ago

Merge remote-tracking branch 'origin/feature/14999-Stretch-9.3' into stable

Fix-committed: #14999

History

#1 Updated by intrigeri almost 2 years ago

#2 Updated by intrigeri almost 2 years ago

  • Related to Feature #15000: Ensure we benefit from new security features in Linux 4.14 added

#3 Updated by intrigeri almost 2 years ago

  • Related to Bug #14786: Can't change resolution under KVM with QXL added

#5 Updated by intrigeri almost 2 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/14999-Stretch-9.3

#6 Updated by intrigeri almost 2 years ago

intrigeri wrote:

List of bugfixes: https://lists.debian.org/debian-announce/2017/msg00009.html

tl;dr: a few non-critical security fixes (would be nice to have though), some syslinux boot problem fixes. If the diff doesn't look scary and the tests pass, I think we should take it.

#7 Updated by intrigeri almost 2 years ago

Here's the diff between the 3.3 build-manifest and the one I get when building from the topic branch:

@@ -1,9 +1,9 @@
 ---
 origin_references:
   debian:
-    reference: '2017110802'
+    reference: '2017120903'
   debian-security:
-    reference: '2017111304'
+    reference: '2017120903'
   torproject:
     reference: '2017110802'
 packages:
@@ -97,7 +97,7 @@
     version: 1:019-3
   - arch: amd64
     package: base-files
-    version: 9.9+deb9u1
+    version: 9.9+deb9u3
   - arch: amd64
     package: base-passwd
     version: 3.5.43
@@ -265,7 +265,7 @@
     version: 2.2.1-8
   - arch: amd64
     package: curl
-    version: 7.52.1-5+deb9u2
+    version: 7.52.1-5+deb9u3
   - arch: amd64
     package: dash
     version: 0.5.8-2.4
@@ -277,13 +277,13 @@
     version: 5.0.0~beta~repack-2
   - arch: all
     package: dbus-user-session
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: dbus-x11
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: dbus
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: dconf-cli
     version: 0.26.0-2+b1
@@ -784,7 +784,7 @@
     version: 1.0.1-1
   - arch: amd64
     package: gdm3
-    version: 3.22.3-3
+    version: 3.22.3-3+deb9u1
   - arch: all
     package: gedit-common
     version: 3.22.0-2
@@ -850,7 +850,7 @@
     version: 2.36.5-2+deb9u1.0tails1
   - arch: amd64
     package: gir1.2-gdm-1.0
-    version: 3.22.3-3
+    version: 3.22.3-3+deb9u1
   - arch: amd64
     package: gir1.2-ges-1.0
     version: 1.10.4-1
@@ -1288,7 +1288,7 @@
     version: 0.35.0+20060710.4
   - arch: amd64
     package: iproute2
-    version: 4.9.0-1
+    version: 4.9.0-1+deb9u1
   - arch: amd64
     package: iptables
     version: 1.6.0+snapshot20161117-6
@@ -1306,7 +1306,7 @@
     version: 3.75-1
   - arch: all
     package: isolinux
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: amd64
     package: iucode-tool
     version: 2.1.1-1
@@ -1480,19 +1480,19 @@
     version: 0.5.4-4+b1
   - arch: amd64
     package: libavcodec57
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavfilter6
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavformat57
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavresample3
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavutil55
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: all
     package: libb-hooks-endofscope-perl
     version: 0.21-1
@@ -1819,10 +1819,10 @@
     version: 2.2.1-8
   - arch: amd64
     package: libcurl3-gnutls
-    version: 7.52.1-5+deb9u2
+    version: 7.52.1-5+deb9u3
   - arch: amd64
     package: libcurl3
-    version: 7.52.1-5+deb9u2
+    version: 7.52.1-5+deb9u3
   - arch: all
     package: libdata-optlist-perl
     version: 0.110-1
@@ -1840,7 +1840,7 @@
     version: 2:1.42-1
   - arch: all
     package: libdatetime-timezone-perl
-    version: 1:2.09-1+2017b
+    version: 1:2.09-1+2017c
   - arch: amd64
     package: libdatrie1
     version: 0.2.10-4+b1
@@ -1852,7 +1852,7 @@
     version: 5.3.28-12+deb9u1
   - arch: amd64
     package: libdbus-1-3
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: libdbus-glib-1-2
     version: 0.108-2
@@ -2209,7 +2209,7 @@
     version: 2.36.5-2+deb9u1.0tails1
   - arch: amd64
     package: libgdm1
-    version: 3.22.3-3
+    version: 3.22.3-3+deb9u1
   - arch: amd64
     package: libgee-0.8-2
     version: 0.18.1-1
@@ -2551,7 +2551,7 @@
     version: 2:1.0.9-2
   - arch: amd64
     package: libicu57
-    version: 57.1-6
+    version: 57.1-6+deb9u1
   - arch: amd64
     package: libid3tag0
     version: 0.15.1b-12
@@ -2788,7 +2788,7 @@
     version: 1.14-1+b1
   - arch: all
     package: liblog-log4perl-perl
-    version: 1.48-1
+    version: 1.48-1+deb9u1
   - arch: amd64
     package: liblogging-stdlog0
     version: 1.0.5-2+b2
@@ -2797,10 +2797,10 @@
     version: 2.0.1-1.1+b1
   - arch: all
     package: liblouis-data
-    version: 3.0.0-3
+    version: 3.0.0-3+deb9u1
   - arch: amd64
     package: liblouis12
-    version: 3.0.0-3+b1
+    version: 3.0.0-3+deb9u1
   - arch: amd64
     package: liblqr-1-0
     version: 0.4.2-2+b2
@@ -3379,7 +3379,7 @@
     version: 0.1~svn20101010-5
   - arch: amd64
     package: libpostproc54
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libpotrace0
     version: 1.13-3
@@ -3424,13 +3424,13 @@
     version: 2.7.13-2
   - arch: amd64
     package: libpython2.7-minimal
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: libpython2.7-stdlib
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: libpython2.7
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: libpython3-stdlib
     version: 3.5.3-1
@@ -3745,7 +3745,7 @@
     version: 2.29.2-1
   - arch: amd64
     package: libsmbclient
-    version: 2:4.5.12+dfsg-2
+    version: 2:4.5.12+dfsg-2+deb9u1
   - arch: amd64
     package: libsnappy1v5
     version: 1.1.3-3
@@ -3805,7 +3805,7 @@
     version: 1.2~rc1.2-1+b2
   - arch: amd64
     package: libsqlite3-0
-    version: 3.16.2-5
+    version: 3.16.2-5+deb9u1
   - arch: amd64
     package: libsratom-0-0
     version: 0.6.0~dfsg0-1
@@ -3825,15 +3825,9 @@
     package: libssl1.0.2
     version: 1.0.2l-2+deb9u1
   - arch: amd64
-    package: libssl1.0.2
-    version: 1.0.2l-2
-  - arch: amd64
     package: libssl1.1
     version: 1.1.0f-3+deb9u1
   - arch: amd64
-    package: libssl1.1
-    version: 1.1.0f-3
-  - arch: amd64
     package: libstartup-notification0
     version: 0.12-4+b2
   - arch: amd64
@@ -3883,10 +3877,10 @@
     version: 2.17-2
   - arch: amd64
     package: libswresample2
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libswscale4
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: all
     package: libsyntax-keyword-junction-perl
     version: 0.003008-1
@@ -4120,7 +4114,7 @@
     version: 1.12.0-1
   - arch: amd64
     package: libwbclient0
-    version: 2:4.5.12+dfsg-2
+    version: 2:4.5.12+dfsg-2+deb9u1
   - arch: amd64
     package: libwebkit2gtk-4.0-37
     version: 2.16.6-0+deb9u1
@@ -4270,7 +4264,7 @@
     version: 1:0.4.4-2
   - arch: amd64
     package: libxcursor1
-    version: 1:1.1.14-1+b4
+    version: 1:1.1.14-1+deb9u1
   - arch: amd64
     package: libxdamage1
     version: 1:1.1.4-2+b3
@@ -4306,10 +4300,10 @@
     version: 2:1.1.3-1+b3
   - arch: amd64
     package: libxkbcommon-x11-0
-    version: 0.7.1-1
+    version: 0.7.1-2~deb9u1
   - arch: amd64
     package: libxkbcommon0
-    version: 0.7.1-1
+    version: 0.7.1-2~deb9u1
   - arch: amd64
     package: libxkbfile1
     version: 1:1.0.9-2
@@ -4324,7 +4318,7 @@
     version: 0.41-2
   - arch: amd64
     package: libxml-libxml-perl
-    version: 2.0128+dfsg-1+b1
+    version: 2.0128+dfsg-1+deb9u1
   - arch: amd64
     package: libxml-libxslt-perl
     version: 1.95-1+b1
@@ -4453,22 +4447,22 @@
     version: '4.5'
   - arch: amd64
     package: linux-compiler-gcc-6-x86
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-headers-4.13.0-1-amd64
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: all
     package: linux-headers-4.13.0-1-common
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-image-4.13.0-1-amd64
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-kbuild-4.13
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-libc-dev
-    version: 4.9.51-1
+    version: 4.9.65-3
   - arch: all
     package: live-boot-initramfs-tools
     version: 1:20170112
@@ -4480,10 +4474,10 @@
     version: 1:20170213
   - arch: all
     package: live-config-systemd
-    version: '5.20170112'
+    version: 5.20170112+deb9u1
   - arch: all
     package: live-config
-    version: '5.20170112'
+    version: 5.20170112+deb9u1
   - arch: all
     package: live-tools
     version: 1:20151214+nmu1
@@ -4663,7 +4657,7 @@
     version: 1.0-1
   - arch: amd64
     package: openssh-client
-    version: 1:7.4p1-10+deb9u1
+    version: 1:7.4p1-10+deb9u2
   - arch: amd64
     package: openssl
     version: 1.1.0f-3+deb9u1
@@ -4951,10 +4945,10 @@
     version: 0.10+doc-10.1
   - arch: amd64
     package: python2.7-minimal
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: python2.7
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: python3-apt
     version: 1.4.0~beta3
@@ -5020,7 +5014,7 @@
     version: 2.8-1
   - arch: all
     package: python3-louis
-    version: 3.0.0-3
+    version: 3.0.0-3+deb9u1
   - arch: amd64
     package: python3-lxml
     version: 3.7.1-1
@@ -5173,7 +5167,7 @@
     version: 8.24.0-1
   - arch: amd64
     package: samba-libs
-    version: 2:4.5.12+dfsg-2
+    version: 2:4.5.12+dfsg-2+deb9u1
   - arch: amd64
     package: sane-utils
     version: 1.0.25-4.1
@@ -5233,7 +5227,7 @@
     version: 0.17.0-1
   - arch: amd64
     package: sqlite3
-    version: 3.16.2-5
+    version: 3.16.2-5+deb9u1
   - arch: amd64
     package: squashfs-tools
     version: 1:4.3-3.0tails4
@@ -5257,16 +5251,16 @@
     version: 0.84.2
   - arch: all
     package: syslinux-common
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: all
     package: syslinux-efi
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: amd64
     package: syslinux-utils
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: amd64
     package: syslinux
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: all
     package: system-config-printer-common
     version: 1.5.7-3
@@ -5533,7 +5527,7 @@
     version: 1:9.0.06-2
   - arch: all
     package: tzdata
-    version: 2017b-1
+    version: 2017c-0+deb9u1
   - arch: all
     package: ucf
     version: '3.0036'
@@ -5584,13 +5578,13 @@
     version: 2:8.0.0197-4+deb9u1
   - arch: all
     package: virtualbox-guest-dkms
-    version: 5.2.0-dfsg-4
+    version: 5.2.2-dfsg-3
   - arch: amd64
     package: virtualbox-guest-utils
-    version: 5.2.0-dfsg-4
+    version: 5.2.2-dfsg-3
   - arch: amd64
     package: virtualbox-guest-x11
-    version: 5.2.0-dfsg-4
+    version: 5.2.2-dfsg-3
   - arch: all
     package: wamerican
     version: 7.1-1
@@ -5598,9 +5592,6 @@
     package: wget
     version: 1.18-5+deb9u1
   - arch: amd64
-    package: wget
-    version: 1.18-5
-  - arch: amd64
     package: whiptail
     version: 0.52.19-1+b1
   - arch: all
@@ -5791,6 +5782,6 @@
     version: 1:1.2.8.dfsg-5
   source:
   - package: syslinux
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - package: torbrowser-launcher
-    version: 0.2.8-4
+    version: 0.2.8-5

#8 Updated by intrigeri almost 2 years ago

I've inspected that diff and found nothing alarming.

#9 Updated by intrigeri almost 2 years ago

  • % Done changed from 10 to 20

intrigeri wrote:

I've inspected that diff and found nothing alarming.

Same for the diff between the .packages files.

I've run the full test suite and the only failures were:

  • "Symmetric encryption and decryption using OpenPGP Applet" which looks like a test suite bug: Last ignored exception was: FindFailed: can not find GpgAppletEncryptPassphrase.png but that menu entry is on the screen, so I suspect the try_for + wait_and_click logic is confused by the fuzzy matching, or something
  • "Unsafe Browser failed to launch in the following locale(s): en_US.utf8" which looks like a test suite bug: the Unsafe Browser did start in English, but the test suite got confused, did not even start it in the 2nd language to be tested, and then successfully started it in the 3rd one; I'll report back on #15006
  • #14819, despite building from 6c23dc58e241abd46efba7f861baa1b4fdf2e811 i.e. aac8f18098c52ceb017490d399fbce2f026c6897 and 01f13a806da5cc0c63e6d675de6659da4292cc30 were in use => I'll report back there

I'd like to see the first scenario pass at least once so I've started another run. But I'm not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review'n'merge despite our test suite not having been able to validate MAC spoofing; OTOH we can't block all development on test suite bugs, so well. If I make up my mind and call this ready for QA, I'll move the Linux 4.14 part to another ticket: the snapshot I've picked so far still has 4.13 (and has 4.14 too), so it's a "Linux 4.14 is blocked by Stretch 9.3" relationship and not 2 things we have to do in lockstep :)

#10 Updated by intrigeri almost 2 years ago

  • Subject changed from Consider upgrading to Stretch 9.3 and Linux 4.14 in Tails 3.4 to Upgrade to Stretch 9.3 in Tails 3.4
  • Assignee changed from intrigeri to anonym
  • % Done changed from 20 to 50
  • QA Check set to Ready for QA

intrigeri wrote:

I'd like to see the first scenario pass at least once so I've started another run.

… and it passed.

But I'm not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review'n'merge despite our test suite not having been able to validate MAC spoofing; OTOH we can't block all development on test suite bugs, so well.

I'll let anonym decide.

If I make up my mind and call this ready for QA, I'll move the Linux 4.14 part to another ticket: […]

Will do!

Post-merge step

Bump the expiration date of the new snapshot to match the old one's.

#11 Updated by intrigeri almost 2 years ago

  • Related to deleted (Feature #15000: Ensure we benefit from new security features in Linux 4.14)

#12 Updated by intrigeri almost 2 years ago

#13 Updated by intrigeri almost 2 years ago

  • Subject changed from Upgrade to Stretch 9.3 in Tails 3.4 to Upgrade to Stretch 9.3

#14 Updated by anonym almost 2 years ago

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Initially I was very confused by my .packages diff, but that turned out to be #15041. I was also confused by

     package: wget
     version: 1.18-5+deb9u1
   - arch: amd64
-    package: wget
-    version: 1.18-5
-  - arch: amd64

but I realize the other wget version probably was used by the build system.

intrigeri wrote:

intrigeri wrote:

I'd like to see the first scenario pass at least once so I've started another run.

… and it passed.

I have seen the full (except one scenario due to #14935) test suite pass with an image with the fixes for #14993 + #14999 + #15019, so it looks good => merged!

But I'm not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review'n'merge despite our test suite not having been able to validate MAC spoofing; OTOH we can't block all development on test suite bugs, so well.

I'll let anonym decide.

I manually tested #14935, so this is not a concern any more!

Post-merge step

Bump the expiration date of the new snapshot to match the old one's.

Bumped:

config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2017120903' which expires on: Thu, 22 Mar 2018 12:40:31 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2017120803' which expires on: Thu, 22 Mar 2018 12:40:38 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:14 +0000
* Archive 'debian-security' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:20 +0000
* Archive 'tails' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:23 +0000
---

#15 Updated by intrigeri almost 2 years ago

  • Target version changed from Tails_3.5 to Tails_3.4

#16 Updated by anonym almost 2 years ago

  • Status changed from Fix committed to Resolved

Also available in: Atom PDF