Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?
intrigeri: > Michael Biebl: >> Please let us know about the results of those tests. > Will do! All green from the perspective of Tails' integration test suite :) I'll let you know if the reviewer for this Tails proposed change (most likely lamby) finds issues relevant to Debian. The backport was totally trivial (start from your stretch backports branch, merge the newest sid packaging tag, boom): https://salsa.debian.org/tails-team/systemd/ Cheers, -- intrigeri
Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?
Hi Michael! Thanks for the quick answer. Michael Biebl: > Am 13.01.19 um 10:46 schrieb intrigeri: >> What's your plan wrt. stretch-backports? > I do think we nailed the worst regressions by now, so my plan was to > wait until 240-4 has migrated to testing and then upload that to > stretch-backports, for the simple reason that this means less effort for > me. This is reassuring. > If someone want's to backport the fixes to 239-12~bpo9+1, that would > obviously ok with me as well. *If* we decide to fall back to this option for Tails, I'll happily share the Git branch (and even upload to stretch-backports after someone reviews it). But I do hope we won't have to go that way. >> FWIW, on the Tails side I'll build a custom backport of 240-4 and will >> run it through the Tails integration test suite, because we have other >> incentives to upgrade (getting the fixes for >> https://github.com/systemd/systemd/issues/9461) and I'd rather do this >> upgrade now in a controlled, relaxed way, than at the last minute >> before our freeze (if v240 is uploaded to stretch-backports on >> Jan 17-18). > Please let us know about the results of those tests. > If 240-4 fails horribly, we could revisit the decision to upload this > version to stretch-backports. Will do! Cheers, -- intrigeri
Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?
Am 13.01.19 um 10:46 schrieb intrigeri: > Hi! > > In Tails we're shipping systemd/stretch-backports. We will freeze our > code base (and the APT repositories we use) on Jan 18 for our next > major release, so in the current state of things we would ship > 239-12~bpo9+1, which is vulnerable to these 3 vulnerabilities. So I've > started researching our options and I'm wondering: > > What's your plan wrt. stretch-backports? I do think we nailed the worst regressions by now, so my plan was to wait until 240-4 has migrated to testing and then upload that to stretch-backports, for the simple reason that this means less effort for me. If someone want's to backport the fixes to 239-12~bpo9+1, that would obviously ok with me as well. > FWIW, on the Tails side I'll build a custom backport of 240-4 and will > run it through the Tails integration test suite, because we have other > incentives to upgrade (getting the fixes for > https://github.com/systemd/systemd/issues/9461) and I'd rather do this > upgrade now in a controlled, relaxed way, than at the last minute > before our freeze (if v240 is uploaded to stretch-backports on > Jan 17-18). Please let us know about the results of those tests. If 240-4 fails horribly, we could revisit the decision to upload this version to stretch-backports. Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? signature.asc Description: OpenPGP digital signature
Bug#918848: Plans for stretch-backports wrt. CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866?
Hi! In Tails we're shipping systemd/stretch-backports. We will freeze our code base (and the APT repositories we use) on Jan 18 for our next major release, so in the current state of things we would ship 239-12~bpo9+1, which is vulnerable to these 3 vulnerabilities. So I've started researching our options and I'm wondering: What's your plan wrt. stretch-backports? I realize that with the serious regressions brought by v240 — that I see upstream and you are quickly fixing, woohoo! — you might want to let v240 mature a bit longer in testing/sid before backporting, so I would understand if you're reluctant to upload 240-4 to stretch-backports as soon as it migrates to testing. But maybe you plan to upload 239-12~bpo9+2 with the fixes backported? FWIW, on the Tails side I'll build a custom backport of 240-4 and will run it through the Tails integration test suite, because we have other incentives to upgrade (getting the fixes for https://github.com/systemd/systemd/issues/9461) and I'd rather do this upgrade now in a controlled, relaxed way, than at the last minute before our freeze (if v240 is uploaded to stretch-backports on Jan 17-18). Thanks a *lot* for your amazing work on the systemd package! Cheers, -- intrigeri
