Bug #17117
Upgrade to Linux 5.3
100%
Description
5.3.2-1~exp1 is going to land is experimental in the next few days. I doubt it’ll be in sid in time for 4.0~rc1, but if we ship 4.0~rc1 with 5.2, we’ll have a very difficult decision to make regarding 4.0 final: taking the risk of upgrading to 5.3 vs. not getting the security fixes that come with 5.3.
One option, suggested by hefee, would be to ship 5.3 from experimental in 4.0~rc1: it’s a bit more risky for 4.0~rc1 but allows us to ship 5.3 in 4.0 final with a lower risk of regressions, which is good.
Subtasks
Related issues
|
Related to Tails - |
Resolved | ||
|
Related to Tails - |
Resolved | ||
|
Related to Tails - |
Resolved | ||
| Blocks Tails - Feature #16209: Core work: Foundations Team | Confirmed | ||
|
Blocks Tails - |
Resolved |
History
#1 Updated by intrigeri 2019-10-03 08:25:01
- blocks Feature #16209: Core work: Foundations Team added
#2 Updated by intrigeri 2019-10-03 08:25:40
- related to
Bug #17024: Fix CVE-2019-15902 aka. "Failed Linux LTS Spectre Fix" added
#3 Updated by intrigeri 2019-10-03 08:37:38
- Assignee set to intrigeri
I’ll give it a try, mainly to see if Bug #17104 magically disappears.
#4 Updated by intrigeri 2019-10-03 08:37:53
- related to
Bug #17104: "Erasure of memory freed by killed userspace processes" test scenario regression caused by the ugprade to Linux 5.2.0-3 added
#5 Updated by intrigeri 2019-10-03 08:56:22
- Description updated
- Status changed from Confirmed to In Progress
- Feature Branch set to feature/17117-linux-5.3+force-all-tests
#6 Updated by intrigeri 2019-10-03 11:49:22
5.3.2-1 is currently building; once that’s done, dak has run, the mirror sync is over, and our time-based snapshots have picked it up, I’ll update our branch to install it instead of 5.3.0-rc5.
#7 Updated by intrigeri 2019-10-03 13:07:45
- related to deleted (
Bug #17024: Fix CVE-2019-15902 aka. "Failed Linux LTS Spectre Fix"
#8 Updated by intrigeri 2019-10-03 13:07:54
- blocks
Bug #17024: Fix CVE-2019-15902 aka. "Failed Linux LTS Spectre Fix" added
#9 Updated by intrigeri 2019-10-03 17:29:15
Full test suite passed locally except:
- Booting Tails from a USB drive in UEFI mode: stuck in the bootloader command line editor
- a couple Additional software scenarios that are rather fragile these days (I should file bugs and tag them as such at some point)
Let’s see how it goes on Jenkins.
#10 Updated by intrigeri 2019-10-04 04:40:21
> Full test suite passed locally except:
> * Booting Tails from a USB drive in UEFI mode: stuck in the bootloader command line editor
> * a couple Additional software scenarios that are rather fragile these days (I should file bugs and tag them as such at some point)
> Let’s see how it goes on Jenkins.
https://jenkins.tails.boum.org/job/test_Tails_ISO_feature-17117-linux-5.3-force-all-tests/1/ passed except some keyserver-related well-known fragility + the same UEFI problem.
I can reproduce the UEFI issue in a UEFI VM on my sid system. If I replace quiet with nosplash debug on the kernel command line, I see:
Loading /live/vmlinuz... ok
Loading /live/initrd.img... ok… and nothing else happens, except QEMU keeps using a full CPU core. Same in troubleshooting mode. Uh oh.
I don’t know if it’s a matter of “the graphics transition between syslinux and Linux fails” or anything else.
Next steps:
- upgrade Linux from 5.3-rc5 to 5.3.2
- retry with an image that has Linux 5.3 + GRUB (the branch from
Feature #6560), to see if it’s purely a Linux problem or if the bootloader is involved - disable all syslinux graphics settings that may interfere
#11 Updated by intrigeri 2019-10-04 07:13:40
> 5.3.2-1 is currently building; once that’s done, dak has run, the mirror sync is over, and our time-based snapshots have picked it up, I’ll update our branch to install it instead of 5.3.0-rc5.
Done.
The good news is that this updated kernel fixes the UEFI boot issue that I saw with 5.3-rc5 :)
#12 Updated by intrigeri 2019-10-05 08:02:52
Test suite runs look good enough so I’ll seriously consider the option suggested by hefee (see ticket description). Next steps:
- test on bare metal
- go through https://tails.boum.org/contribute/Linux_kernel/ and consider other pros & cons
#13 Updated by intrigeri 2019-10-05 08:33:11
- Status changed from In Progress to Needs Validation
- Assignee deleted (
intrigeri)
> Next steps:
>
> * test on bare metal
Works fine on HP EliteBook 840G1 and ThinkPad X200: boots, Wi-Fi connects, Tor Browser starts, unplugging the boot device triggers emergency shutdown.
> * go through https://tails.boum.org/contribute/Linux_kernel/ and consider other pros & cons
Done. Of course, this version is only in experimental so it’s impossible to draw conclusions from the lack of regression reports on the Debian BTS.
My conclusion as of today: arguably there are very few reasons to upgrade to 5.3 right now (Bug #17024 being one of them). But if we don’t do this upgrade in 4.0~rc1, there’s a high chance we end up in a bad place between 4.0~rc1 and 4.0, when likely some security fixes we’ll want are available only by upgrading to 5.3 from sid once it’s uploaded there. So I think we should bite this bullet, take the risk of hardware support regressions in 4.0~rc1, and go ahead.
#14 Updated by segfault 2019-10-05 19:33:04
- Assignee set to segfault
#15 Updated by segfault 2019-10-05 19:41:20
- Status changed from Needs Validation to Resolved
- % Done changed from 0 to 100
Applied in changeset commit:tails|5703cbdf3c05ab2e53b8494b9a03260af34f3695.
#16 Updated by segfault 2019-10-05 19:50:42
- related to
Bug #17124: Install Linux 5.3 from sid added
#17 Updated by intrigeri 2019-11-15 09:26:54
- related to
Bug #17236: Enable the init_on_alloc=1 and init_on_free=1 Linux options added