Feature #14728: Track security updates during the Tails code freeze

Feature #14728

Track security updates during the Tails code freeze

Added by anonym 2017-09-26 14:58:23 . Updated 2019-03-12 14:16:53 .

Status:

Confirmed

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2017-09-26

Due date:

% Done:

Feature Branch:

Type of work:

Research

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

This affects:

packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.
packages we override with our custom APT repo, see e.g. ~~Bug #14729~~ for one instance of this problem

Subtasks

Related issues

Related to Tails - ~~Bug #14729~~: Fix gdk-pixbuf vulnerability (CVE-2017-2862)	Resolved	2017-09-26
Related to Tails - ~~Feature #15524~~: Iteration 1: Write release process documentation for custom packages	Resolved	2018-04-11
Related to Tails - ~~Bug #17144~~: Merge Debian's 1.5.19-4+deb10u1 into our patched ibus package	Resolved
Blocks Tails - Feature #16209: Core work: Foundations Team	Confirmed

History

#1 Updated by intrigeri 2017-09-27 07:51:59

related to ~~Bug #14729~~: Fix gdk-pixbuf vulnerability (CVE-2017-2862) added

#2 Updated by intrigeri 2017-09-27 07:53:09

Subject changed from Improve tracking of security updates during the freeze to Track security updates during the Tails code freeze
Description updated

#3 Updated by anonym 2017-09-27 13:48:14

The comment ~~Bug #14729#note-4~~ is relevant here. In particular, I believe the solution our security tracking woes is to automate it.

#4 Updated by intrigeri 2017-09-28 05:47:41

A short-term, trivial fix would be to:

add another instance of “Coordinate with Debian security updates” (that we already have in the Pre-freeze section of our release process later in our release process
generalize a bit https://tails.boum.org/contribute/release_process/Debian_security_updates/ to make it cover the two cases this ticket is about

#5 Updated by anonym 2017-11-15 11:30:57

Target version changed from Tails_3.3 to Tails_3.5

#6 Updated by anonym 2018-01-23 19:52:52

Target version changed from Tails_3.5 to Tails_3.6

#7 Updated by anonym 2018-02-19 13:54:43

Target version changed from Tails_3.6 to Tails_3.7

#8 Updated by intrigeri 2018-03-28 09:59:37

Regarding the 1st problem: check the list of packages upgraded between a build from our frozen release branch (stable or testing) and a build from a devel branch (that’s unfrozen).

Regarding the 2nd problem: check if any included package has a smaller version that in Debian stable + security. E.g. use the same API as rmadison uses to query the Debian archive.

#9 Updated by intrigeri 2018-04-13 11:55:33

Target version changed from Tails_3.7 to Tails_3.8

#10 Updated by intrigeri 2018-05-25 13:24:52

Target version changed from Tails_3.8 to Tails_3.10.1

#11 Updated by Anonymous 2018-08-17 06:37:24

Assignee changed from anonym to intrigeri

I’m tentatively reassigning this to FT so you can decide what to do with this ticket.

#12 Updated by intrigeri 2018-08-17 12:23:27

Assignee changed from intrigeri to anonym

> I’m tentatively reassigning this to FT so you can decide what to do with this ticket.

I’d rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.

#13 Updated by intrigeri 2018-09-11 08:09:03

related to ~~Feature #15524~~: Iteration 1: Write release process documentation for custom packages added

#14 Updated by segfault 2018-10-14 10:55:38

This should also include checking for updates of our custom packages for VeraCrypt support (see ~~Feature #15524~~)

#15 Updated by intrigeri 2018-10-24 17:03:42

Target version changed from Tails_3.10.1 to Tails_3.11

#16 Updated by anonym 2018-12-03 15:20:54

Target version changed from Tails_3.11 to Tails_3.12

#17 Updated by anonym 2019-01-15 13:06:16

intrigeri wrote:
> > I’m tentatively reassigning this to FT so you can decide what to do with this ticket.
>
> I’d rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.

I’m still having this ticket on my plate, but I’d love if someone else would take it.

#19 Updated by intrigeri 2019-01-25 08:39:34

blocks ~~Feature #15507~~: Core work 2019Q1: Foundations Team added

#20 Updated by intrigeri 2019-01-25 08:39:45

Assignee deleted (~~anonym~~)
Target version changed from Tails_3.12 to Tails_3.13

#21 Updated by intrigeri 2019-03-12 14:16:53

Target version deleted (~~Tails_3.13~~)

#22 Updated by intrigeri 2019-03-12 16:10:26

blocks Feature #16209: Core work: Foundations Team added

#23 Updated by intrigeri 2019-03-12 16:10:34

blocked by deleted (~~~~Feature #15507~~: Core work 2019Q1: Foundations Team~~)

#24 Updated by intrigeri 2019-10-10 11:49:22

related to ~~Bug #17144~~: Merge Debian's 1.5.19-4+deb10u1 into our patched ibus package added