Feature #14728

Track security updates during the Tails code freeze

Added by anonym 2017-09-26 14:58:23 . Updated 2019-03-12 14:16:53 .

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2017-09-26
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

This affects:

  1. packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.
  2. packages we override with our custom APT repo, see e.g. Bug #14729 for one instance of this problem

Subtasks


Related issues

Related to Tails - Bug #14729: Fix gdk-pixbuf vulnerability (CVE-2017-2862) Resolved 2017-09-26
Related to Tails - Feature #15524: Iteration 1: Write release process documentation for custom packages Resolved 2018-04-11
Related to Tails - Bug #17144: Merge Debian's 1.5.19-4+deb10u1 into our patched ibus package Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team Confirmed

History

#1 Updated by intrigeri 2017-09-27 07:51:59

  • related to Bug #14729: Fix gdk-pixbuf vulnerability (CVE-2017-2862) added

#2 Updated by intrigeri 2017-09-27 07:53:09

  • Subject changed from Improve tracking of security updates during the freeze to Track security updates during the Tails code freeze
  • Description updated

#3 Updated by anonym 2017-09-27 13:48:14

The comment Bug #14729#note-4 is relevant here. In particular, I believe the solution our security tracking woes is to automate it.

#4 Updated by intrigeri 2017-09-28 05:47:41

A short-term, trivial fix would be to:

#5 Updated by anonym 2017-11-15 11:30:57

  • Target version changed from Tails_3.3 to Tails_3.5

#6 Updated by anonym 2018-01-23 19:52:52

  • Target version changed from Tails_3.5 to Tails_3.6

#7 Updated by anonym 2018-02-19 13:54:43

  • Target version changed from Tails_3.6 to Tails_3.7

#8 Updated by intrigeri 2018-03-28 09:59:37

Regarding the 1st problem: check the list of packages upgraded between a build from our frozen release branch (stable or testing) and a build from a devel branch (that’s unfrozen).

Regarding the 2nd problem: check if any included package has a smaller version that in Debian stable + security. E.g. use the same API as rmadison uses to query the Debian archive.

#9 Updated by intrigeri 2018-04-13 11:55:33

  • Target version changed from Tails_3.7 to Tails_3.8

#10 Updated by intrigeri 2018-05-25 13:24:52

  • Target version changed from Tails_3.8 to Tails_3.10.1

#11 Updated by Anonymous 2018-08-17 06:37:24

  • Assignee changed from anonym to intrigeri

I’m tentatively reassigning this to FT so you can decide what to do with this ticket.

#12 Updated by intrigeri 2018-08-17 12:23:27

  • Assignee changed from intrigeri to anonym

> I’m tentatively reassigning this to FT so you can decide what to do with this ticket.

I’d rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.

#13 Updated by intrigeri 2018-09-11 08:09:03

  • related to Feature #15524: Iteration 1: Write release process documentation for custom packages added

#14 Updated by segfault 2018-10-14 10:55:38

This should also include checking for updates of our custom packages for VeraCrypt support (see Feature #15524)

#15 Updated by intrigeri 2018-10-24 17:03:42

  • Target version changed from Tails_3.10.1 to Tails_3.11

#16 Updated by anonym 2018-12-03 15:20:54

  • Target version changed from Tails_3.11 to Tails_3.12

#17 Updated by anonym 2019-01-15 13:06:16

intrigeri wrote:
> > I’m tentatively reassigning this to FT so you can decide what to do with this ticket.
>
> I’d rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.

I’m still having this ticket on my plate, but I’d love if someone else would take it.

#19 Updated by intrigeri 2019-01-25 08:39:34

#20 Updated by intrigeri 2019-01-25 08:39:45

  • Assignee deleted (anonym)
  • Target version changed from Tails_3.12 to Tails_3.13

#21 Updated by intrigeri 2019-03-12 14:16:53

  • Target version deleted (Tails_3.13)

#22 Updated by intrigeri 2019-03-12 16:10:26

#23 Updated by intrigeri 2019-03-12 16:10:34

  • blocked by deleted (Feature #15507: Core work 2019Q1: Foundations Team)

#24 Updated by intrigeri 2019-10-10 11:49:22

  • related to Bug #17144: Merge Debian's 1.5.19-4+deb10u1 into our patched ibus package added