Bug #15936

Upgrade Linux to 4.18

Added by intrigeri 2018-09-11 08:22:27 . Updated 2018-10-24 11:18:23 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
2018-09-11
Due date:
% Done:

100%

Feature Branch:
feature/15936-linux-4.18-stable-bump-Debian+force-all-tests
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

linux-image-4.18.0-1-amd64 is now the default on sid so 4.17 (shipped in 3.9 and on current stable) won’t get any security upgrade anymore.


Files


Subtasks


Related issues

Blocks Tails - Feature #15506: Core work 2018Q4: Foundations Team Resolved 2018-04-08

History

#1 Updated by intrigeri 2018-09-11 08:22:47

#2 Updated by intrigeri 2018-09-12 05:53:10

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to feature/15936-linux-4.18+force-all-tests

To start with I’ve prepared a branch based on devel with Linux 4.18. We’ll need that soon anyway: at some point devel will start FTBFS’ing due to Linux 4.17’s upcoming removal from sid.

#3 Updated by intrigeri 2018-09-12 07:29:22

FTBFS, should be fixed once virtualbox-guest-dkms 5.2.18-dfsg-2 is uploaded to stable-bpo.

#4 Updated by intrigeri 2018-09-18 15:52:17

intrigeri wrote:
> FTBFS, should be fixed once virtualbox-guest-dkms 5.2.18-dfsg-2 is uploaded to stable-bpo.

Asked the usual uploader what his plans are.

#5 Updated by intrigeri 2018-09-25 08:26:26

intrigeri wrote:
> intrigeri wrote:
> > FTBFS, should be fixed once virtualbox-guest-dkms 5.2.18-dfsg-2 is uploaded to stable-bpo.
>
> Asked the usual uploader what his plans are.

… and he did the upload :)

#6 Updated by intrigeri 2018-10-02 18:54:39

  • Subject changed from Consider upgrading Linux to 4.18 in Tails 3.10 to Upgrade Linux to 4.18

https://security-tracker.debian.org/tracker/CVE-2018-17182 is definitely worth fixing.

#7 Updated by intrigeri 2018-10-09 08:52:24

Did a bunch of full test suite runs. A few fragile tests fail but none fail consistently and they all seem unrelated to the kernel upgrade. Since then, upgraded the branch to 4.18.0-2 + aufs 4.18-20181008, will re-run some tests and if happy, I’ll check if we can bump the APT snapshot of the debian archive and if not, I’ll import the Linux package into an APT overlay, will rebase on stable, run more tests and submit for QA in time for 3.10.

#8 Updated by intrigeri 2018-10-09 08:52:49

  • Priority changed from Normal to Elevated

#9 Updated by intrigeri 2018-10-09 08:52:58

  • Type of work changed from Research to Code

#10 Updated by intrigeri 2018-10-10 12:26:33

> upgraded the branch to 4.18.0-2 + aufs 4.18-20181008, will re-run some tests and if happy

Full test suite passed so I’ll proceed with the next steps.

#11 Updated by intrigeri 2018-10-10 17:17:51

  • File 3.9.1-to-15936-packages.diff added
  • % Done changed from 10 to 20
  • Feature Branch changed from feature/15936-linux-4.18+force-all-tests to feature/15936-linux-4.18-stable-bump-Debian+force-all-tests

Bumping the debian APT snapshot does not seem too crazy (see attached diff): apart of the security fixes that we’ll get anyway and the kernel upgrade that’s the whole point of this branch, there’s the mesa and virtualbox guest modules upgrade, which does not sound completely crazy => if the test suite passes I’ll test this on a couple laptops and will submit for QA.

#12 Updated by intrigeri 2018-10-10 21:32:07

  • % Done changed from 20 to 30

Full test suite passed on my local Jenkins.

#13 Updated by intrigeri 2018-10-11 10:30:53

  • Assignee changed from intrigeri to segfault
  • % Done changed from 30 to 50
  • QA Check set to Ready for QA

Notes to reviewer:

  • Passes full test suite on my local Jenkins.
  • Wi-Fi, graphics, web browsing and emergency shutdown work fine on HP EliteBook 840G1 (docked with DisplayPort screen attached) and ThinkPad X200.
  • I’ve already optimistically bumped the expiration date of the 2018100901 snapshot of the debian archive: in case this branch is merged, we don’t want it to expire and be garbage collected in a week (worst case, if we don’t merge this branch, either I’ll revert this expiration date bump or it’ll waste a little bit of storage space on our infra).

segfault, can you please test with NVIDIA hardware, and ideally also do the code review? If you can’t, just let me know and I’ll find another reviewer.

#14 Updated by segfault 2018-10-14 14:49:32

  • Assignee changed from segfault to intrigeri
  • QA Check changed from Ready for QA to Info Needed

> segfault, can you please test with NVIDIA hardware,

OK, will do that later

> and ideally also do the code review?

Done. 4459e6a4c7878ecba91dd7fb38fb0d4119a71135, 919b553e20d647a0d47cc4eae92e886398cc770c, and 46670c0156833102cd5382731c9e9be500800cc8 LGTM, but 33d74135123abcc134607826939c8032f81fc3ee (Tor Browser AppArmor profile patch) seems unrelated.

#15 Updated by intrigeri 2018-10-15 08:41:28

  • Assignee changed from intrigeri to segfault
  • QA Check changed from Info Needed to Ready for QA

Thanks!

segfault wrote:
> but 33d74135123abcc134607826939c8032f81fc3ee (Tor Browser AppArmor profile patch) seems unrelated.

Given I bumped the debian APT snapshot, we’ll get a newer torbrowser-launcher package and thus these changes are needed otherwise we’ll get FTBFS similar to Bug #15929 and Bug #15958.

#16 Updated by segfault 2018-10-15 19:52:58

  • Assignee changed from segfault to intrigeri
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:
> Given I bumped the debian APT snapshot, we’ll get a newer torbrowser-launcher package and thus these changes are needed otherwise we’ll get FTBFS similar to Bug #15929 and Bug #15958.

I see, makes sense

#17 Updated by intrigeri 2018-10-15 20:09:57

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)

Thanks, merged!

#18 Updated by CyrilBrulebois 2018-10-24 11:18:23

  • Status changed from Fix committed to Resolved