Feature #14999
Upgrade to Stretch 9.3
100%
Description
Stretch 9.3 will be released on December 9th and Linux 4.14 should be uploaded to sid late November. If either one brings interesting updates, we should consider bumping our APT snapshots. We’ll have 1.5 months to do QA so it does not seem crazy. We have tools and processes to do either one of these updates independently from each other, but by default they go together so let’s first handle them as one. We did such an update for 3.3 (bugfix release as well) and it went fine AFAIK, e.g. the Linux 4.13 update fixed some hardware support and I was not reported any regression.
Subtasks
Related issues
Related to Tails - |
Resolved | 2017-10-04 | |
Blocks Tails - |
Resolved | 2017-06-29 | |
Blocks Tails - |
Resolved | 2017-11-17 |
History
#1 Updated by intrigeri 2017-11-25 10:51:35
- blocks
Feature #13244: Core work 2017Q4: Foundations Team added
#2 Updated by intrigeri 2017-11-25 10:53:30
- related to
Feature #15000: Ensure we benefit from new security features in Linux 4.14 added
#3 Updated by intrigeri 2017-11-26 06:32:52
- related to
Bug #14786: Can't change resolution under KVM with QXL added
#4 Updated by intrigeri 2017-12-09 14:37:07
List of bugfixes: https://lists.debian.org/debian-announce/2017/msg00009.html
#5 Updated by intrigeri 2017-12-09 18:20:51
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
- Feature Branch set to feature/14999-Stretch-9.3
#6 Updated by intrigeri 2017-12-09 18:23:32
intrigeri wrote:
> List of bugfixes: https://lists.debian.org/debian-announce/2017/msg00009.html
tl;dr: a few non-critical security fixes (would be nice to have though), some syslinux boot problem fixes. If the diff doesn’t look scary and the tests pass, I think we should take it.
#7 Updated by intrigeri 2017-12-10 05:55:29
Here’s the diff between the 3.3 build-manifest and the one I get when building from the topic branch:
@@ -1,9 +1,9 @@
---
origin_references:
debian:
- reference: '2017110802'
+ reference: '2017120903'
debian-security:
- reference: '2017111304'
+ reference: '2017120903'
torproject:
reference: '2017110802'
packages:
@@ -97,7 +97,7 @@
version: 1:019-3
- arch: amd64
package: base-files
- version: 9.9+deb9u1
+ version: 9.9+deb9u3
- arch: amd64
package: base-passwd
version: 3.5.43
@@ -265,7 +265,7 @@
version: 2.2.1-8
- arch: amd64
package: curl
- version: 7.52.1-5+deb9u2
+ version: 7.52.1-5+deb9u3
- arch: amd64
package: dash
version: 0.5.8-2.4
@@ -277,13 +277,13 @@
version: 5.0.0~beta~repack-2
- arch: all
package: dbus-user-session
- version: 1.10.22-0+deb9u1
+ version: 1.10.24-0+deb9u1
- arch: amd64
package: dbus-x11
- version: 1.10.22-0+deb9u1
+ version: 1.10.24-0+deb9u1
- arch: amd64
package: dbus
- version: 1.10.22-0+deb9u1
+ version: 1.10.24-0+deb9u1
- arch: amd64
package: dconf-cli
version: 0.26.0-2+b1
@@ -784,7 +784,7 @@
version: 1.0.1-1
- arch: amd64
package: gdm3
- version: 3.22.3-3
+ version: 3.22.3-3+deb9u1
- arch: all
package: gedit-common
version: 3.22.0-2
@@ -850,7 +850,7 @@
version: 2.36.5-2+deb9u1.0tails1
- arch: amd64
package: gir1.2-gdm-1.0
- version: 3.22.3-3
+ version: 3.22.3-3+deb9u1
- arch: amd64
package: gir1.2-ges-1.0
version: 1.10.4-1
@@ -1288,7 +1288,7 @@
version: 0.35.0+20060710.4
- arch: amd64
package: iproute2
- version: 4.9.0-1
+ version: 4.9.0-1+deb9u1
- arch: amd64
package: iptables
version: 1.6.0+snapshot20161117-6
@@ -1306,7 +1306,7 @@
version: 3.75-1
- arch: all
package: isolinux
- version: 3:6.03+dfsg-14.1
+ version: 3:6.03+dfsg-14.1+deb9u1
- arch: amd64
package: iucode-tool
version: 2.1.1-1
@@ -1480,19 +1480,19 @@
version: 0.5.4-4+b1
- arch: amd64
package: libavcodec57
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: amd64
package: libavfilter6
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: amd64
package: libavformat57
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: amd64
package: libavresample3
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: amd64
package: libavutil55
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: all
package: libb-hooks-endofscope-perl
version: 0.21-1
@@ -1819,10 +1819,10 @@
version: 2.2.1-8
- arch: amd64
package: libcurl3-gnutls
- version: 7.52.1-5+deb9u2
+ version: 7.52.1-5+deb9u3
- arch: amd64
package: libcurl3
- version: 7.52.1-5+deb9u2
+ version: 7.52.1-5+deb9u3
- arch: all
package: libdata-optlist-perl
version: 0.110-1
@@ -1840,7 +1840,7 @@
version: 2:1.42-1
- arch: all
package: libdatetime-timezone-perl
- version: 1:2.09-1+2017b
+ version: 1:2.09-1+2017c
- arch: amd64
package: libdatrie1
version: 0.2.10-4+b1
@@ -1852,7 +1852,7 @@
version: 5.3.28-12+deb9u1
- arch: amd64
package: libdbus-1-3
- version: 1.10.22-0+deb9u1
+ version: 1.10.24-0+deb9u1
- arch: amd64
package: libdbus-glib-1-2
version: 0.108-2
@@ -2209,7 +2209,7 @@
version: 2.36.5-2+deb9u1.0tails1
- arch: amd64
package: libgdm1
- version: 3.22.3-3
+ version: 3.22.3-3+deb9u1
- arch: amd64
package: libgee-0.8-2
version: 0.18.1-1
@@ -2551,7 +2551,7 @@
version: 2:1.0.9-2
- arch: amd64
package: libicu57
- version: 57.1-6
+ version: 57.1-6+deb9u1
- arch: amd64
package: libid3tag0
version: 0.15.1b-12
@@ -2788,7 +2788,7 @@
version: 1.14-1+b1
- arch: all
package: liblog-log4perl-perl
- version: 1.48-1
+ version: 1.48-1+deb9u1
- arch: amd64
package: liblogging-stdlog0
version: 1.0.5-2+b2
@@ -2797,10 +2797,10 @@
version: 2.0.1-1.1+b1
- arch: all
package: liblouis-data
- version: 3.0.0-3
+ version: 3.0.0-3+deb9u1
- arch: amd64
package: liblouis12
- version: 3.0.0-3+b1
+ version: 3.0.0-3+deb9u1
- arch: amd64
package: liblqr-1-0
version: 0.4.2-2+b2
@@ -3379,7 +3379,7 @@
version: 0.1~svn20101010-5
- arch: amd64
package: libpostproc54
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: amd64
package: libpotrace0
version: 1.13-3
@@ -3424,13 +3424,13 @@
version: 2.7.13-2
- arch: amd64
package: libpython2.7-minimal
- version: 2.7.13-2
+ version: 2.7.13-2+deb9u2
- arch: amd64
package: libpython2.7-stdlib
- version: 2.7.13-2
+ version: 2.7.13-2+deb9u2
- arch: amd64
package: libpython2.7
- version: 2.7.13-2
+ version: 2.7.13-2+deb9u2
- arch: amd64
package: libpython3-stdlib
version: 3.5.3-1
@@ -3745,7 +3745,7 @@
version: 2.29.2-1
- arch: amd64
package: libsmbclient
- version: 2:4.5.12+dfsg-2
+ version: 2:4.5.12+dfsg-2+deb9u1
- arch: amd64
package: libsnappy1v5
version: 1.1.3-3
@@ -3805,7 +3805,7 @@
version: 1.2~rc1.2-1+b2
- arch: amd64
package: libsqlite3-0
- version: 3.16.2-5
+ version: 3.16.2-5+deb9u1
- arch: amd64
package: libsratom-0-0
version: 0.6.0~dfsg0-1
@@ -3825,15 +3825,9 @@
package: libssl1.0.2
version: 1.0.2l-2+deb9u1
- arch: amd64
- package: libssl1.0.2
- version: 1.0.2l-2
- - arch: amd64
package: libssl1.1
version: 1.1.0f-3+deb9u1
- arch: amd64
- package: libssl1.1
- version: 1.1.0f-3
- - arch: amd64
package: libstartup-notification0
version: 0.12-4+b2
- arch: amd64
@@ -3883,10 +3877,10 @@
version: 2.17-2
- arch: amd64
package: libswresample2
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: amd64
package: libswscale4
- version: 7:3.2.8-1~deb9u1
+ version: 7:3.2.9-1~deb9u1
- arch: all
package: libsyntax-keyword-junction-perl
version: 0.003008-1
@@ -4120,7 +4114,7 @@
version: 1.12.0-1
- arch: amd64
package: libwbclient0
- version: 2:4.5.12+dfsg-2
+ version: 2:4.5.12+dfsg-2+deb9u1
- arch: amd64
package: libwebkit2gtk-4.0-37
version: 2.16.6-0+deb9u1
@@ -4270,7 +4264,7 @@
version: 1:0.4.4-2
- arch: amd64
package: libxcursor1
- version: 1:1.1.14-1+b4
+ version: 1:1.1.14-1+deb9u1
- arch: amd64
package: libxdamage1
version: 1:1.1.4-2+b3
@@ -4306,10 +4300,10 @@
version: 2:1.1.3-1+b3
- arch: amd64
package: libxkbcommon-x11-0
- version: 0.7.1-1
+ version: 0.7.1-2~deb9u1
- arch: amd64
package: libxkbcommon0
- version: 0.7.1-1
+ version: 0.7.1-2~deb9u1
- arch: amd64
package: libxkbfile1
version: 1:1.0.9-2
@@ -4324,7 +4318,7 @@
version: 0.41-2
- arch: amd64
package: libxml-libxml-perl
- version: 2.0128+dfsg-1+b1
+ version: 2.0128+dfsg-1+deb9u1
- arch: amd64
package: libxml-libxslt-perl
version: 1.95-1+b1
@@ -4453,22 +4447,22 @@
version: '4.5'
- arch: amd64
package: linux-compiler-gcc-6-x86
- version: 4.13.10-1
+ version: 4.13.13-1
- arch: amd64
package: linux-headers-4.13.0-1-amd64
- version: 4.13.10-1
+ version: 4.13.13-1
- arch: all
package: linux-headers-4.13.0-1-common
- version: 4.13.10-1
+ version: 4.13.13-1
- arch: amd64
package: linux-image-4.13.0-1-amd64
- version: 4.13.10-1
+ version: 4.13.13-1
- arch: amd64
package: linux-kbuild-4.13
- version: 4.13.10-1
+ version: 4.13.13-1
- arch: amd64
package: linux-libc-dev
- version: 4.9.51-1
+ version: 4.9.65-3
- arch: all
package: live-boot-initramfs-tools
version: 1:20170112
@@ -4480,10 +4474,10 @@
version: 1:20170213
- arch: all
package: live-config-systemd
- version: '5.20170112'
+ version: 5.20170112+deb9u1
- arch: all
package: live-config
- version: '5.20170112'
+ version: 5.20170112+deb9u1
- arch: all
package: live-tools
version: 1:20151214+nmu1
@@ -4663,7 +4657,7 @@
version: 1.0-1
- arch: amd64
package: openssh-client
- version: 1:7.4p1-10+deb9u1
+ version: 1:7.4p1-10+deb9u2
- arch: amd64
package: openssl
version: 1.1.0f-3+deb9u1
@@ -4951,10 +4945,10 @@
version: 0.10+doc-10.1
- arch: amd64
package: python2.7-minimal
- version: 2.7.13-2
+ version: 2.7.13-2+deb9u2
- arch: amd64
package: python2.7
- version: 2.7.13-2
+ version: 2.7.13-2+deb9u2
- arch: amd64
package: python3-apt
version: 1.4.0~beta3
@@ -5020,7 +5014,7 @@
version: 2.8-1
- arch: all
package: python3-louis
- version: 3.0.0-3
+ version: 3.0.0-3+deb9u1
- arch: amd64
package: python3-lxml
version: 3.7.1-1
@@ -5173,7 +5167,7 @@
version: 8.24.0-1
- arch: amd64
package: samba-libs
- version: 2:4.5.12+dfsg-2
+ version: 2:4.5.12+dfsg-2+deb9u1
- arch: amd64
package: sane-utils
version: 1.0.25-4.1
@@ -5233,7 +5227,7 @@
version: 0.17.0-1
- arch: amd64
package: sqlite3
- version: 3.16.2-5
+ version: 3.16.2-5+deb9u1
- arch: amd64
package: squashfs-tools
version: 1:4.3-3.0tails4
@@ -5257,16 +5251,16 @@
version: 0.84.2
- arch: all
package: syslinux-common
- version: 3:6.03+dfsg-14.1
+ version: 3:6.03+dfsg-14.1+deb9u1
- arch: all
package: syslinux-efi
- version: 3:6.03+dfsg-14.1
+ version: 3:6.03+dfsg-14.1+deb9u1
- arch: amd64
package: syslinux-utils
- version: 3:6.03+dfsg-14.1
+ version: 3:6.03+dfsg-14.1+deb9u1
- arch: amd64
package: syslinux
- version: 3:6.03+dfsg-14.1
+ version: 3:6.03+dfsg-14.1+deb9u1
- arch: all
package: system-config-printer-common
version: 1.5.7-3
@@ -5533,7 +5527,7 @@
version: 1:9.0.06-2
- arch: all
package: tzdata
- version: 2017b-1
+ version: 2017c-0+deb9u1
- arch: all
package: ucf
version: '3.0036'
@@ -5584,13 +5578,13 @@
version: 2:8.0.0197-4+deb9u1
- arch: all
package: virtualbox-guest-dkms
- version: 5.2.0-dfsg-4
+ version: 5.2.2-dfsg-3
- arch: amd64
package: virtualbox-guest-utils
- version: 5.2.0-dfsg-4
+ version: 5.2.2-dfsg-3
- arch: amd64
package: virtualbox-guest-x11
- version: 5.2.0-dfsg-4
+ version: 5.2.2-dfsg-3
- arch: all
package: wamerican
version: 7.1-1
@@ -5598,9 +5592,6 @@
package: wget
version: 1.18-5+deb9u1
- arch: amd64
- package: wget
- version: 1.18-5
- - arch: amd64
package: whiptail
version: 0.52.19-1+b1
- arch: all
@@ -5791,6 +5782,6 @@
version: 1:1.2.8.dfsg-5
source:
- package: syslinux
- version: 3:6.03+dfsg-14.1
+ version: 3:6.03+dfsg-14.1+deb9u1
- package: torbrowser-launcher
- version: 0.2.8-4
+ version: 0.2.8-5
#8 Updated by intrigeri 2017-12-10 05:58:51
I’ve inspected that diff and found nothing alarming.
#9 Updated by intrigeri 2017-12-10 06:31:44
- % Done changed from 10 to 20
intrigeri wrote:
> I’ve inspected that diff and found nothing alarming.
Same for the diff between the .packages
files.
I’ve run the full test suite and the only failures were:
- “Symmetric encryption and decryption using OpenPGP Applet” which looks like a test suite bug:
Last ignored exception was: FindFailed: can not find GpgAppletEncryptPassphrase.png
but that menu entry is on the screen, so I suspect thetry_for
+wait_and_click
logic is confused by the fuzzy matching, or something - “Unsafe Browser failed to launch in the following locale(s): en_US.utf8” which looks like a test suite bug: the Unsafe Browser did start in English, but the test suite got confused, did not even start it in the 2nd language to be tested, and then successfully started it in the 3rd one; I’ll report back on Bug #15006
Bug #14819, despite building from commit:6c23dc58e241abd46efba7f861baa1b4fdf2e811 i.e. commit:aac8f18098c52ceb017490d399fbce2f026c6897 and commit:01f13a806da5cc0c63e6d675de6659da4292cc30 were in use => I’ll report back there
I’d like to see the first scenario pass at least once so I’ve started another run. But I’m not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review’n’merge despite our test suite not having been able to validate MAC spoofing; OTOH we can’t block all development on test suite bugs, so well. If I make up my mind and call this ready for QA, I’ll move the Linux 4.14 part to another ticket: the snapshot I’ve picked so far still has 4.13 (and has 4.14 too), so it’s a “Linux 4.14 is blocked by Stretch 9.3” relationship and not 2 things we have to do in lockstep :)
#10 Updated by intrigeri 2017-12-10 15:05:38
- Subject changed from Consider upgrading to Stretch 9.3 and Linux 4.14 in Tails 3.4 to Upgrade to Stretch 9.3 in Tails 3.4
- Assignee changed from intrigeri to anonym
- % Done changed from 20 to 50
- QA Check set to Ready for QA
intrigeri wrote:
> I’d like to see the first scenario pass at least once so I’ve started another run.
… and it passed.
> But I’m not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review’n’merge despite our test suite not having been able to validate MAC spoofing; OTOH we can’t block all development on test suite bugs, so well.
I’ll let anonym decide.
> If I make up my mind and call this ready for QA, I’ll move the Linux 4.14 part to another ticket: […]
Will do!
Post-merge step
Bump the expiration date of the new snapshot to match the old one’s.
#11 Updated by intrigeri 2017-12-10 15:06:07
- related to deleted (
)Feature #15000: Ensure we benefit from new security features in Linux 4.14
#12 Updated by intrigeri 2017-12-10 15:06:58
- blocks
Feature #14976: Upgrade the Linux kernel to get KPTI added
#13 Updated by intrigeri 2017-12-10 15:07:09
- Subject changed from Upgrade to Stretch 9.3 in Tails 3.4 to Upgrade to Stretch 9.3
#14 Updated by anonym 2017-12-14 12:54:35
- Status changed from In Progress to Fix committed
- Assignee deleted (
anonym) - % Done changed from 50 to 100
- QA Check changed from Ready for QA to Pass
Initially I was very confused by my .packages
diff, but that turned out to be Bug #15041. I was also confused by
package: wget
version: 1.18-5+deb9u1
- arch: amd64
- package: wget
- version: 1.18-5
- - arch: amd64
but I realize the other wget
version probably was used by the build system.
intrigeri wrote:
> intrigeri wrote:
> > I’d like to see the first scenario pass at least once so I’ve started another run.
>
> … and it passed.
I have seen the full (except one scenario due to Bug #14935) test suite pass with an image with the fixes for Bug #14993 + Feature #14999 + Bug #15019, so it looks good => merged!
> > But I’m not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review’n’merge despite our test suite not having been able to validate MAC spoofing; OTOH we can’t block all development on test suite bugs, so well.
>
> I’ll let anonym decide.
I manually tested Bug #14935, so this is not a concern any more!
> h2. Post-merge step
>
> Bump the expiration date of the new snapshot to match the old one’s.
Bumped:
config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2017120903' which expires on: Thu, 22 Mar 2018 12:40:31 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2017120803' which expires on: Thu, 22 Mar 2018 12:40:38 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:14 +0000
* Archive 'debian-security' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:20 +0000
* Archive 'tails' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:23 +0000
---
#15 Updated by intrigeri 2018-01-04 18:26:38
- Target version changed from Tails_3.5 to Tails_3.4
#16 Updated by anonym 2018-01-09 20:52:28
- Status changed from Fix committed to Resolved