Re: Please unblock schroot 1.4.16-1
On Wed, Dec 08, 2010 at 08:44:48PM +, Adam D. Barratt wrote: On Tue, 2010-12-07 at 17:31 +, Roger Leigh wrote: I've made a new upload of schroot to unstable which fixes a few security- and upgrade-related bugs. The bulk of the changes are documentation (manual pages, release notes and changelogs). The code changes are tiny, but are important to have to upgrade from lenny cleanly and fully document security issues and program behaviour. Unblocked; thanks. As discussed on IRC, it's a shame that this resulted in a new translatable (and currently untranslated) string, although the fact that the string should rarely be seen and is in the program translation rather than a debconf template mitigates this slightly. I've allowed a fortnight for translation updates to come back, and made a new release (1.4.17-1) containing five translation updates and an additional RC bugfix. Please could you unblock this to allow it into squeeze? Changes: http://git.debian.org/?p=buildd-tools/schroot.git;a=commitdiff;h=debian/schroot-1.4.17-1;hp=debian/schroot-1.4.16-1 Changes with generated files included: http://git.debian.org/?p=buildd-tools/schroot.git;a=commitdiff;h=distribution/schroot-1.4.17;hp=distribution/schroot-1.4.16 Many thanks, Roger schroot (1.4.17-1) unstable; urgency=low * New upstream stable release. * 15killprocs: Don't kill processes in other sessions (Closes: #608054). Compare full chroot path in addition to device and inode numbers, since the device and inode are not sufficiently unique (they are shared between non-cloned sessions such as for directory type chroots). * Updated translations: - da (Closes: #606305). Thanks to Joe Hansen. - de (Closes: #606245). Thanks to Holger Wansing. - fr (Closes: #606394). Thanks to Thomas Blein. - it. Thanks to Vincenzo Campanella. - zh_CN. Thanks to Ji ZhengYu. -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. diff --git a/NEWS b/NEWS index 8fa9bba..bdc5677 100644 --- a/NEWS +++ b/NEWS @@ -1,12 +1,16 @@ NEWS-*- outline -*- -Welcome to schroot 1.4.16. Please read these release notes carefully. +Welcome to schroot 1.4.17. Please read these release notes carefully. Full installation instructions are provided in the INSTALL file. The README file also contains more specific notes regarding building and configuration. +* Major changes in 1.4.17: + + None. + * Major changes in 1.4.16: 1) Chroot naming restrictions introduced in 1.4.0 have been relaxed diff --git a/debian/changelog b/debian/changelog index 19022bf..fdb1c7f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,20 @@ +schroot (1.4.17-1) unstable; urgency=low + + * New upstream stable release. + * 15killprocs: Don't kill processes in other sessions +(Closes: #608054). Compare full chroot path in addition to device +and inode numbers, since the device and inode are not sufficiently +unique (they are shared between non-cloned sessions such as for +directory type chroots). + * Updated translations: +- da (Closes: #606305). Thanks to Joe Hansen. +- de (Closes: #606245). Thanks to Holger Wansing. +- fr (Closes: #606394). Thanks to Thomas Blein. +- it. Thanks to Vincenzo Campanella. +- zh_CN. Thanks to Ji ZhengYu. + + -- Roger Leigh rle...@debian.org Wed, 29 Dec 2010 16:41:30 + + schroot (1.4.16-1) unstable; urgency=low * New upstream stable release. diff --git a/etc/setup.d/15killprocs b/etc/setup.d/15killprocs index 619035e..1f246b0 100755 --- a/etc/setup.d/15killprocs +++ b/etc/setup.d/15killprocs @@ -40,28 +40,35 @@ do_kill_all() info Killing processes run inside $1 ls /proc | egrep '^[[:digit:]]+$' | while read pid; do + # Check if process root are the same device/inode as chroot + # root (for efficiency) if [ /proc/$pid/root -ef $1 ]; then -exe=$(readlink /proc/$pid/exe || true) -info Killing left-over pid $pid (${exe##$1}) -info Sending SIGTERM to pid $pid + # Check if process and chroot root are the same (may be + # different even if device/inode match). + root=$(readlink /proc/$pid/root || true) + if [ $root = $1 ]; then + exe=$(readlink /proc/$pid/exe || true) + info Killing left-over pid $pid (${exe##$1}) + info Sending SIGTERM to pid $pid -/bin/kill -TERM $pid 2/dev/null + /bin/kill -TERM $pid 2/dev/null -count=0 -max=5 -while [ -d /proc/$pid ]; do -count=$(( $count + 1 )) -info Waiting for pid $pid to shut down... ($count/$max) -sleep 1 -# Wait for $max seconds for process to die before -9'ing
Re: Please unblock schroot 1.4.16-1
On Tue, 2010-12-07 at 17:31 +, Roger Leigh wrote: I've made a new upload of schroot to unstable which fixes a few security- and upgrade-related bugs. The bulk of the changes are documentation (manual pages, release notes and changelogs). The code changes are tiny, but are important to have to upgrade from lenny cleanly and fully document security issues and program behaviour. Unblocked; thanks. As discussed on IRC, it's a shame that this resulted in a new translatable (and currently untranslated) string, although the fact that the string should rarely be seen and is in the program translation rather than a debconf template mitigates this slightly. Regards, Adam -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1291841088.15017.388.ca...@hathi.jungle.funky-badger.org
Re: Please unblock schroot 1.4.16-1
On Wed, Dec 08, 2010 at 08:44:48PM +, Adam D. Barratt wrote: On Tue, 2010-12-07 at 17:31 +, Roger Leigh wrote: I've made a new upload of schroot to unstable which fixes a few security- and upgrade-related bugs. The bulk of the changes are documentation (manual pages, release notes and changelogs). The code changes are tiny, but are important to have to upgrade from lenny cleanly and fully document security issues and program behaviour. Unblocked; thanks. As discussed on IRC, it's a shame that this resulted in a new translatable (and currently untranslated) string, although the fact that the string should rarely be seen and is in the program translation rather than a debconf template mitigates this slightly. Many thanks. I've already received updated da, de and it translations. I should hopefully be able to make a new release with all of the translations updated in the next week or so once the rest come in. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. signature.asc Description: Digital signature
Please unblock schroot 1.4.16-1
Hi, I've made a new upload of schroot to unstable which fixes a few security- and upgrade-related bugs. The bulk of the changes are documentation (manual pages, release notes and changelogs). The code changes are tiny, but are important to have to upgrade from lenny cleanly and fully document security issues and program behaviour. Please could you consider unblocking for squeeze? Thanks, Roger #601043, #605939: Upgrade failure when upgrading from lenny. The restrictions on valid filenames were make much stricter in 1.4.0 (later than Lenny), meaning many configurations are broken when upgrading. After auditing all validation and usage paths in the code, I've relaxed the naming restrictions such that it remains secure, but allows most names which were valid in lenny. There's a complete rationale for the naming restrictions in schroot.conf(5). #605950 This is a regression which results in mount options in the configuration file being ignored. They are now correctly preserved. #606162 This is a performance regression which caused schroot to run extremely poorly on large heavily loaded systems; this speeds up session cleanup by orders of magnitude by using shell builtins rather than invoking readlink once per running process on the system #587758 Documentation of security issues relating to configuration #599380 Documentation update (non-essential) schroot (1.4.16-1) unstable; urgency=low * New upstream stable release. * Document schroot -- option delimiter in schroot(1) (Closes: #599380). * Document security implications of bind-mounting /dev and other filesystems in schroot.conf(5) (Closes: #587758). * Relax chroot naming restrictions (Closes: #601043, #605939). The name may not contain a leading period (‘.’). The characters ‘:’ (colon), ‘,’ (comma) and ‘/’ (forward slash) are not permitted anywhere in the name. The name may also not contain a trailing tilde ('~'). Otherwise any characters are permitted. * 10mount: Respect mount options from configuration for all mountable chroot types (Closes: #605950). Thanks to Nelson Elhage for this patch. * 15killprocs: Improve performance by omitting a readlink call for each process running on the system, leading to a significant reduction in overhead on busy systems (Closes: #606162). Thanks to Anders Kaseorg for this patch. -- Roger Leigh rle...@debian.org Tue, 07 Dec 2010 12:29:25 + Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. signature.asc Description: Digital signature