Feature #14728
Track security updates during the Tails code freeze
0%
Description
This affects:
- packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.
- packages we override with our custom APT repo, see e.g.
Bug #14729for one instance of this problem
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-09-26 | |
Related to Tails - |
Resolved | 2018-04-11 | |
Related to Tails - |
Resolved | ||
Blocks Tails - Feature #16209: Core work: Foundations Team | Confirmed |
History
#1 Updated by intrigeri 2017-09-27 07:51:59
- related to
Bug #14729: Fix gdk-pixbuf vulnerability (CVE-2017-2862) added
#2 Updated by intrigeri 2017-09-27 07:53:09
- Subject changed from Improve tracking of security updates during the freeze to Track security updates during the Tails code freeze
- Description updated
#3 Updated by anonym 2017-09-27 13:48:14
The comment Bug #14729#note-4 is relevant here. In particular, I believe the solution our security tracking woes is to automate it.
#4 Updated by intrigeri 2017-09-28 05:47:41
A short-term, trivial fix would be to:
- add another instance of “Coordinate with Debian security updates” (that we already have in the Pre-freeze section of our release process later in our release process
- generalize a bit https://tails.boum.org/contribute/release_process/Debian_security_updates/ to make it cover the two cases this ticket is about
#5 Updated by anonym 2017-11-15 11:30:57
- Target version changed from Tails_3.3 to Tails_3.5
#6 Updated by anonym 2018-01-23 19:52:52
- Target version changed from Tails_3.5 to Tails_3.6
#7 Updated by anonym 2018-02-19 13:54:43
- Target version changed from Tails_3.6 to Tails_3.7
#8 Updated by intrigeri 2018-03-28 09:59:37
Regarding the 1st problem: check the list of packages upgraded between a build from our frozen release branch (stable or testing) and a build from a devel branch (that’s unfrozen).
Regarding the 2nd problem: check if any included package has a smaller version that in Debian stable + security. E.g. use the same API as rmadison uses to query the Debian archive.
#9 Updated by intrigeri 2018-04-13 11:55:33
- Target version changed from Tails_3.7 to Tails_3.8
#10 Updated by intrigeri 2018-05-25 13:24:52
- Target version changed from Tails_3.8 to Tails_3.10.1
#11 Updated by Anonymous 2018-08-17 06:37:24
- Assignee changed from anonym to intrigeri
I’m tentatively reassigning this to FT so you can decide what to do with this ticket.
#12 Updated by intrigeri 2018-08-17 12:23:27
- Assignee changed from intrigeri to anonym
> I’m tentatively reassigning this to FT so you can decide what to do with this ticket.
I’d rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.
#13 Updated by intrigeri 2018-09-11 08:09:03
- related to
Feature #15524: Iteration 1: Write release process documentation for custom packages added
#14 Updated by segfault 2018-10-14 10:55:38
This should also include checking for updates of our custom packages for VeraCrypt support (see Feature #15524)
#15 Updated by intrigeri 2018-10-24 17:03:42
- Target version changed from Tails_3.10.1 to Tails_3.11
#16 Updated by anonym 2018-12-03 15:20:54
- Target version changed from Tails_3.11 to Tails_3.12
#17 Updated by anonym 2019-01-15 13:06:16
intrigeri wrote:
> > I’m tentatively reassigning this to FT so you can decide what to do with this ticket.
>
> I’d rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.
I’m still having this ticket on my plate, but I’d love if someone else would take it.
#19 Updated by intrigeri 2019-01-25 08:39:34
- blocks
Feature #15507: Core work 2019Q1: Foundations Team added
#20 Updated by intrigeri 2019-01-25 08:39:45
- Assignee deleted (
anonym) - Target version changed from Tails_3.12 to Tails_3.13
#21 Updated by intrigeri 2019-03-12 14:16:53
- Target version deleted (
Tails_3.13)
#22 Updated by intrigeri 2019-03-12 16:10:26
- blocks Feature #16209: Core work: Foundations Team added
#23 Updated by intrigeri 2019-03-12 16:10:34
- blocked by deleted (
)Feature #15507: Core work 2019Q1: Foundations Team
#24 Updated by intrigeri 2019-10-10 11:49:22
- related to
Bug #17144: Merge Debian's 1.5.19-4+deb10u1 into our patched ibus package added