On 2026-04-30, Vagrant Cascadian wrote: > On 2026-04-30, Ludovic Courtès wrote: >> Gary Johnson <[email protected]> skribis: >> >>> My apologies if I've missed announcements related to this, but have we >>> updated our Linux kernel yet to patch against the recent Copy Fail exploit? >>> >>> https://copy.fail/ >> >> I was looking at it just now. There are more details in their post: >> >> https://xint.io/blog/copy-fail-linux-distributions >> >> But I only found the list of Linux versions that include a fix in this >> post: >> >> https://seclists.org/oss-sec/2026/q2/281 >> >> From what I can see 6.19.12 and 6.18.22, which we currently ship, >> include the fix. > > We also, as of yesterday with commit > d279f642d65c89374340d046c0a51ebcb59b387a, ship 6.19.14 and 6.18.25 :)
Rodion proposed an update with the versions still affected: https://codeberg.org/guix/guix/pulls/8245 ... and I added all the outstanding kernel version updates (6.18.26, 7.0.3) to the kernel-updates branch, which ci is now churning on, with some successes and some failures... actual substitute availability is sometimes surprisingly slow even after a successful build (hours, sometimes days!)... > I think the vast majority of the time is applying and verifying the > linux-libre patchsets to generate the cleaned source tarball; the actual > kernel builds themselves do not take that long once they get > started... most of the time, I have doubts about not just pulling the > linux-libre tarballs directly rather than re-applying that process > ourselves against the upstream linux tarballs... > > Although in situations like this, the infrastructure we have now allows > us to attempt to move forward with fixes before linux-libre has had a > chance to verify things... And linux-libre (last I checked) did not yet vet the newer versions... but usually it only takes a day or two. > If the newer 5.10.x still fails to build (none of the commits look like > they address the issue) help debugging the failure would be appreciated: > > https://codeberg.org/guix/guix/pulls/8032#issuecomment-13965350 > https://ci.guix.gnu.org/build/21164235/log/raw 5.10.254 is still failing to build with the same issue: https://ci.guix.gnu.org/build/21222646/details Probably a backported patch not quite correctly backported... help git bisecting that issue would definitely be appreciated (5.10.252 built fine, at least)... I am a bit low on disk space to attempt it. I kind of hate this idea, but we can push with a known build failure on x86_64 for 5.10.x (as it still does solve the issue for aarch64) ... and if people complain about the build failure, well, we know we actually have people using that version... :) live well, vagrant
signature.asc
Description: PGP signature
