Feature #14999

Upgrade to Stretch 9.3

Added by intrigeri 2017-11-25 10:48:10 . Updated 2018-01-09 20:52:28 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2017-11-25
Due date:
% Done:

100%

Feature Branch:
feature/14999-Stretch-9.3
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

Stretch 9.3 will be released on December 9th and Linux 4.14 should be uploaded to sid late November. If either one brings interesting updates, we should consider bumping our APT snapshots. We’ll have 1.5 months to do QA so it does not seem crazy. We have tools and processes to do either one of these updates independently from each other, but by default they go together so let’s first handle them as one. We did such an update for 3.3 (bugfix release as well) and it went fine AFAIK, e.g. the Linux 4.13 update fixed some hardware support and I was not reported any regression.


Subtasks


Related issues

Related to Tails - Bug #14786: Can't change resolution under KVM with QXL Resolved 2017-10-04
Blocks Tails - Feature #13244: Core work 2017Q4: Foundations Team Resolved 2017-06-29
Blocks Tails - Feature #14976: Upgrade the Linux kernel to get KPTI Resolved 2017-11-17

History

#1 Updated by intrigeri 2017-11-25 10:51:35

#2 Updated by intrigeri 2017-11-25 10:53:30

  • related to Feature #15000: Ensure we benefit from new security features in Linux 4.14 added

#3 Updated by intrigeri 2017-11-26 06:32:52

  • related to Bug #14786: Can't change resolution under KVM with QXL added

#5 Updated by intrigeri 2017-12-09 18:20:51

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/14999-Stretch-9.3

#6 Updated by intrigeri 2017-12-09 18:23:32

intrigeri wrote:
> List of bugfixes: https://lists.debian.org/debian-announce/2017/msg00009.html

tl;dr: a few non-critical security fixes (would be nice to have though), some syslinux boot problem fixes. If the diff doesn’t look scary and the tests pass, I think we should take it.

#7 Updated by intrigeri 2017-12-10 05:55:29

Here’s the diff between the 3.3 build-manifest and the one I get when building from the topic branch:

@@ -1,9 +1,9 @@
 ---
 origin_references:
   debian:
-    reference: '2017110802'
+    reference: '2017120903'
   debian-security:
-    reference: '2017111304'
+    reference: '2017120903'
   torproject:
     reference: '2017110802'
 packages:
@@ -97,7 +97,7 @@
     version: 1:019-3
   - arch: amd64
     package: base-files
-    version: 9.9+deb9u1
+    version: 9.9+deb9u3
   - arch: amd64
     package: base-passwd
     version: 3.5.43
@@ -265,7 +265,7 @@
     version: 2.2.1-8
   - arch: amd64
     package: curl
-    version: 7.52.1-5+deb9u2
+    version: 7.52.1-5+deb9u3
   - arch: amd64
     package: dash
     version: 0.5.8-2.4
@@ -277,13 +277,13 @@
     version: 5.0.0~beta~repack-2
   - arch: all
     package: dbus-user-session
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: dbus-x11
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: dbus
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: dconf-cli
     version: 0.26.0-2+b1
@@ -784,7 +784,7 @@
     version: 1.0.1-1
   - arch: amd64
     package: gdm3
-    version: 3.22.3-3
+    version: 3.22.3-3+deb9u1
   - arch: all
     package: gedit-common
     version: 3.22.0-2
@@ -850,7 +850,7 @@
     version: 2.36.5-2+deb9u1.0tails1
   - arch: amd64
     package: gir1.2-gdm-1.0
-    version: 3.22.3-3
+    version: 3.22.3-3+deb9u1
   - arch: amd64
     package: gir1.2-ges-1.0
     version: 1.10.4-1
@@ -1288,7 +1288,7 @@
     version: 0.35.0+20060710.4
   - arch: amd64
     package: iproute2
-    version: 4.9.0-1
+    version: 4.9.0-1+deb9u1
   - arch: amd64
     package: iptables
     version: 1.6.0+snapshot20161117-6
@@ -1306,7 +1306,7 @@
     version: 3.75-1
   - arch: all
     package: isolinux
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: amd64
     package: iucode-tool
     version: 2.1.1-1
@@ -1480,19 +1480,19 @@
     version: 0.5.4-4+b1
   - arch: amd64
     package: libavcodec57
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavfilter6
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavformat57
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavresample3
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libavutil55
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: all
     package: libb-hooks-endofscope-perl
     version: 0.21-1
@@ -1819,10 +1819,10 @@
     version: 2.2.1-8
   - arch: amd64
     package: libcurl3-gnutls
-    version: 7.52.1-5+deb9u2
+    version: 7.52.1-5+deb9u3
   - arch: amd64
     package: libcurl3
-    version: 7.52.1-5+deb9u2
+    version: 7.52.1-5+deb9u3
   - arch: all
     package: libdata-optlist-perl
     version: 0.110-1
@@ -1840,7 +1840,7 @@
     version: 2:1.42-1
   - arch: all
     package: libdatetime-timezone-perl
-    version: 1:2.09-1+2017b
+    version: 1:2.09-1+2017c
   - arch: amd64
     package: libdatrie1
     version: 0.2.10-4+b1
@@ -1852,7 +1852,7 @@
     version: 5.3.28-12+deb9u1
   - arch: amd64
     package: libdbus-1-3
-    version: 1.10.22-0+deb9u1
+    version: 1.10.24-0+deb9u1
   - arch: amd64
     package: libdbus-glib-1-2
     version: 0.108-2
@@ -2209,7 +2209,7 @@
     version: 2.36.5-2+deb9u1.0tails1
   - arch: amd64
     package: libgdm1
-    version: 3.22.3-3
+    version: 3.22.3-3+deb9u1
   - arch: amd64
     package: libgee-0.8-2
     version: 0.18.1-1
@@ -2551,7 +2551,7 @@
     version: 2:1.0.9-2
   - arch: amd64
     package: libicu57
-    version: 57.1-6
+    version: 57.1-6+deb9u1
   - arch: amd64
     package: libid3tag0
     version: 0.15.1b-12
@@ -2788,7 +2788,7 @@
     version: 1.14-1+b1
   - arch: all
     package: liblog-log4perl-perl
-    version: 1.48-1
+    version: 1.48-1+deb9u1
   - arch: amd64
     package: liblogging-stdlog0
     version: 1.0.5-2+b2
@@ -2797,10 +2797,10 @@
     version: 2.0.1-1.1+b1
   - arch: all
     package: liblouis-data
-    version: 3.0.0-3
+    version: 3.0.0-3+deb9u1
   - arch: amd64
     package: liblouis12
-    version: 3.0.0-3+b1
+    version: 3.0.0-3+deb9u1
   - arch: amd64
     package: liblqr-1-0
     version: 0.4.2-2+b2
@@ -3379,7 +3379,7 @@
     version: 0.1~svn20101010-5
   - arch: amd64
     package: libpostproc54
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libpotrace0
     version: 1.13-3
@@ -3424,13 +3424,13 @@
     version: 2.7.13-2
   - arch: amd64
     package: libpython2.7-minimal
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: libpython2.7-stdlib
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: libpython2.7
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: libpython3-stdlib
     version: 3.5.3-1
@@ -3745,7 +3745,7 @@
     version: 2.29.2-1
   - arch: amd64
     package: libsmbclient
-    version: 2:4.5.12+dfsg-2
+    version: 2:4.5.12+dfsg-2+deb9u1
   - arch: amd64
     package: libsnappy1v5
     version: 1.1.3-3
@@ -3805,7 +3805,7 @@
     version: 1.2~rc1.2-1+b2
   - arch: amd64
     package: libsqlite3-0
-    version: 3.16.2-5
+    version: 3.16.2-5+deb9u1
   - arch: amd64
     package: libsratom-0-0
     version: 0.6.0~dfsg0-1
@@ -3825,15 +3825,9 @@
     package: libssl1.0.2
     version: 1.0.2l-2+deb9u1
   - arch: amd64
-    package: libssl1.0.2
-    version: 1.0.2l-2
-  - arch: amd64
     package: libssl1.1
     version: 1.1.0f-3+deb9u1
   - arch: amd64
-    package: libssl1.1
-    version: 1.1.0f-3
-  - arch: amd64
     package: libstartup-notification0
     version: 0.12-4+b2
   - arch: amd64
@@ -3883,10 +3877,10 @@
     version: 2.17-2
   - arch: amd64
     package: libswresample2
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: amd64
     package: libswscale4
-    version: 7:3.2.8-1~deb9u1
+    version: 7:3.2.9-1~deb9u1
   - arch: all
     package: libsyntax-keyword-junction-perl
     version: 0.003008-1
@@ -4120,7 +4114,7 @@
     version: 1.12.0-1
   - arch: amd64
     package: libwbclient0
-    version: 2:4.5.12+dfsg-2
+    version: 2:4.5.12+dfsg-2+deb9u1
   - arch: amd64
     package: libwebkit2gtk-4.0-37
     version: 2.16.6-0+deb9u1
@@ -4270,7 +4264,7 @@
     version: 1:0.4.4-2
   - arch: amd64
     package: libxcursor1
-    version: 1:1.1.14-1+b4
+    version: 1:1.1.14-1+deb9u1
   - arch: amd64
     package: libxdamage1
     version: 1:1.1.4-2+b3
@@ -4306,10 +4300,10 @@
     version: 2:1.1.3-1+b3
   - arch: amd64
     package: libxkbcommon-x11-0
-    version: 0.7.1-1
+    version: 0.7.1-2~deb9u1
   - arch: amd64
     package: libxkbcommon0
-    version: 0.7.1-1
+    version: 0.7.1-2~deb9u1
   - arch: amd64
     package: libxkbfile1
     version: 1:1.0.9-2
@@ -4324,7 +4318,7 @@
     version: 0.41-2
   - arch: amd64
     package: libxml-libxml-perl
-    version: 2.0128+dfsg-1+b1
+    version: 2.0128+dfsg-1+deb9u1
   - arch: amd64
     package: libxml-libxslt-perl
     version: 1.95-1+b1
@@ -4453,22 +4447,22 @@
     version: '4.5'
   - arch: amd64
     package: linux-compiler-gcc-6-x86
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-headers-4.13.0-1-amd64
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: all
     package: linux-headers-4.13.0-1-common
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-image-4.13.0-1-amd64
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-kbuild-4.13
-    version: 4.13.10-1
+    version: 4.13.13-1
   - arch: amd64
     package: linux-libc-dev
-    version: 4.9.51-1
+    version: 4.9.65-3
   - arch: all
     package: live-boot-initramfs-tools
     version: 1:20170112
@@ -4480,10 +4474,10 @@
     version: 1:20170213
   - arch: all
     package: live-config-systemd
-    version: '5.20170112'
+    version: 5.20170112+deb9u1
   - arch: all
     package: live-config
-    version: '5.20170112'
+    version: 5.20170112+deb9u1
   - arch: all
     package: live-tools
     version: 1:20151214+nmu1
@@ -4663,7 +4657,7 @@
     version: 1.0-1
   - arch: amd64
     package: openssh-client
-    version: 1:7.4p1-10+deb9u1
+    version: 1:7.4p1-10+deb9u2
   - arch: amd64
     package: openssl
     version: 1.1.0f-3+deb9u1
@@ -4951,10 +4945,10 @@
     version: 0.10+doc-10.1
   - arch: amd64
     package: python2.7-minimal
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: python2.7
-    version: 2.7.13-2
+    version: 2.7.13-2+deb9u2
   - arch: amd64
     package: python3-apt
     version: 1.4.0~beta3
@@ -5020,7 +5014,7 @@
     version: 2.8-1
   - arch: all
     package: python3-louis
-    version: 3.0.0-3
+    version: 3.0.0-3+deb9u1
   - arch: amd64
     package: python3-lxml
     version: 3.7.1-1
@@ -5173,7 +5167,7 @@
     version: 8.24.0-1
   - arch: amd64
     package: samba-libs
-    version: 2:4.5.12+dfsg-2
+    version: 2:4.5.12+dfsg-2+deb9u1
   - arch: amd64
     package: sane-utils
     version: 1.0.25-4.1
@@ -5233,7 +5227,7 @@
     version: 0.17.0-1
   - arch: amd64
     package: sqlite3
-    version: 3.16.2-5
+    version: 3.16.2-5+deb9u1
   - arch: amd64
     package: squashfs-tools
     version: 1:4.3-3.0tails4
@@ -5257,16 +5251,16 @@
     version: 0.84.2
   - arch: all
     package: syslinux-common
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: all
     package: syslinux-efi
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: amd64
     package: syslinux-utils
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: amd64
     package: syslinux
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - arch: all
     package: system-config-printer-common
     version: 1.5.7-3
@@ -5533,7 +5527,7 @@
     version: 1:9.0.06-2
   - arch: all
     package: tzdata
-    version: 2017b-1
+    version: 2017c-0+deb9u1
   - arch: all
     package: ucf
     version: '3.0036'
@@ -5584,13 +5578,13 @@
     version: 2:8.0.0197-4+deb9u1
   - arch: all
     package: virtualbox-guest-dkms
-    version: 5.2.0-dfsg-4
+    version: 5.2.2-dfsg-3
   - arch: amd64
     package: virtualbox-guest-utils
-    version: 5.2.0-dfsg-4
+    version: 5.2.2-dfsg-3
   - arch: amd64
     package: virtualbox-guest-x11
-    version: 5.2.0-dfsg-4
+    version: 5.2.2-dfsg-3
   - arch: all
     package: wamerican
     version: 7.1-1
@@ -5598,9 +5592,6 @@
     package: wget
     version: 1.18-5+deb9u1
   - arch: amd64
-    package: wget
-    version: 1.18-5
-  - arch: amd64
     package: whiptail
     version: 0.52.19-1+b1
   - arch: all
@@ -5791,6 +5782,6 @@
     version: 1:1.2.8.dfsg-5
   source:
   - package: syslinux
-    version: 3:6.03+dfsg-14.1
+    version: 3:6.03+dfsg-14.1+deb9u1
   - package: torbrowser-launcher
-    version: 0.2.8-4
+    version: 0.2.8-5

#8 Updated by intrigeri 2017-12-10 05:58:51

I’ve inspected that diff and found nothing alarming.

#9 Updated by intrigeri 2017-12-10 06:31:44

  • % Done changed from 10 to 20

intrigeri wrote:
> I’ve inspected that diff and found nothing alarming.

Same for the diff between the .packages files.

I’ve run the full test suite and the only failures were:

  • “Symmetric encryption and decryption using OpenPGP Applet” which looks like a test suite bug: Last ignored exception was: FindFailed: can not find GpgAppletEncryptPassphrase.png but that menu entry is on the screen, so I suspect the try_for + wait_and_click logic is confused by the fuzzy matching, or something
  • “Unsafe Browser failed to launch in the following locale(s): en_US.utf8” which looks like a test suite bug: the Unsafe Browser did start in English, but the test suite got confused, did not even start it in the 2nd language to be tested, and then successfully started it in the 3rd one; I’ll report back on Bug #15006
  • Bug #14819, despite building from commit:6c23dc58e241abd46efba7f861baa1b4fdf2e811 i.e. commit:aac8f18098c52ceb017490d399fbce2f026c6897 and commit:01f13a806da5cc0c63e6d675de6659da4292cc30 were in use => I’ll report back there

I’d like to see the first scenario pass at least once so I’ve started another run. But I’m not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review’n’merge despite our test suite not having been able to validate MAC spoofing; OTOH we can’t block all development on test suite bugs, so well. If I make up my mind and call this ready for QA, I’ll move the Linux 4.14 part to another ticket: the snapshot I’ve picked so far still has 4.13 (and has 4.14 too), so it’s a “Linux 4.14 is blocked by Stretch 9.3” relationship and not 2 things we have to do in lockstep :)

#10 Updated by intrigeri 2017-12-10 15:05:38

  • Subject changed from Consider upgrading to Stretch 9.3 and Linux 4.14 in Tails 3.4 to Upgrade to Stretch 9.3 in Tails 3.4
  • Assignee changed from intrigeri to anonym
  • % Done changed from 20 to 50
  • QA Check set to Ready for QA

intrigeri wrote:
> I’d like to see the first scenario pass at least once so I’ve started another run.

… and it passed.

> But I’m not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review’n’merge despite our test suite not having been able to validate MAC spoofing; OTOH we can’t block all development on test suite bugs, so well.

I’ll let anonym decide.

> If I make up my mind and call this ready for QA, I’ll move the Linux 4.14 part to another ticket: […]

Will do!

Post-merge step

Bump the expiration date of the new snapshot to match the old one’s.

#11 Updated by intrigeri 2017-12-10 15:06:07

  • related to deleted (Feature #15000: Ensure we benefit from new security features in Linux 4.14)

#12 Updated by intrigeri 2017-12-10 15:06:58

#13 Updated by intrigeri 2017-12-10 15:07:09

  • Subject changed from Upgrade to Stretch 9.3 in Tails 3.4 to Upgrade to Stretch 9.3

#14 Updated by anonym 2017-12-14 12:54:35

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

Initially I was very confused by my .packages diff, but that turned out to be Bug #15041. I was also confused by

     package: wget
     version: 1.18-5+deb9u1
   - arch: amd64
-    package: wget
-    version: 1.18-5
-  - arch: amd64


but I realize the other wget version probably was used by the build system.

intrigeri wrote:
> intrigeri wrote:
> > I’d like to see the first scenario pass at least once so I’ve started another run.
>
> … and it passed.

I have seen the full (except one scenario due to Bug #14935) test suite pass with an image with the fixes for Bug #14993 + Feature #14999 + Bug #15019, so it looks good => merged!

> > But I’m not sure if I should block on the other ones: on the one hand it feels a bit scary to send this to review’n’merge despite our test suite not having been able to validate MAC spoofing; OTOH we can’t block all development on test suite bugs, so well.
>
> I’ll let anonym decide.

I manually tested Bug #14935, so this is not a concern any more!

> h2. Post-merge step
>
> Bump the expiration date of the new snapshot to match the old one’s.

Bumped:

config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2017120903' which expires on: Thu, 22 Mar 2018 12:40:31 +0000
* Archive 'debian-security' uses snapshot 'latest' which expires on: never
* Archive 'torproject' uses snapshot '2017120803' which expires on: Thu, 22 Mar 2018 12:40:38 +0000
---
vagrant/definitions/tails-builder/config/APT_snapshots.d:
* Archive 'debian' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:14 +0000
* Archive 'debian-security' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:20 +0000
* Archive 'tails' uses snapshot '2017091504' which expires on: Thu, 22 Mar 2018 16:41:23 +0000
---

#15 Updated by intrigeri 2018-01-04 18:26:38

  • Target version changed from Tails_3.5 to Tails_3.4

#16 Updated by anonym 2018-01-09 20:52:28

  • Status changed from Fix committed to Resolved