Bug #17610: Upgrade to Linux 5.6

Bug #17610

Upgrade to Linux 5.6

Added by intrigeri 2020-04-12 09:48:12 . Updated 2020-05-18 08:45:28 .

Status:

Needs Validation

Priority:

Elevated

Assignee:

anonym

Category:

Target version:

Tails_4.7

Start date:

Due date:

% Done:

50%

Feature Branch:

feature/17620-buster-10.4+force-all-tests

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Let’s see if we have to, and can, do that in Tails 4.6.

Subtasks

Related issues

Related to Tails - ~~Bug #17611~~: devel branch FTBFS: Package 'linux-image-5.4.0-4-amd64' has no installation candidate	Needs Validation
Related to Tails - Bug #17612: devel branch FTBFS: patch against torbrowser.Browser.firefox is fuzzy	Needs Validation
Blocks Tails - Feature #16209: Core work: Foundations Team	Confirmed

History

#1 Updated by intrigeri 2020-04-12 09:48:28

blocks Feature #16209: Core work: Foundations Team added

#2 Updated by intrigeri 2020-04-12 09:49:19

related to ~~Bug #17611~~: devel branch FTBFS: Package 'linux-image-5.4.0-4-amd64' has no installation candidate added

#3 Updated by intrigeri 2020-04-15 08:29:36

related to Bug #17612: devel branch FTBFS: patch against torbrowser.Browser.firefox is fuzzy added

#4 Updated by intrigeri 2020-04-15 08:31:35

Priority changed from Normal to Elevated

devel branch FTBFS because 5.4 is not available anywhere in Debian anymore ⇒ bumping priority (the alternative would be to upload 5.4 to our custom APT repo, but that feels like waste to me: better work directly on the upgrade to 5.5).

Edit: For context, and in hindsight, the recent update in Debian testing was 5.5.0-1 → 5.5.0-2; I initially thought it had gone from 5.4.0-4 to 5.5.0-2, which is why I reopened this ticket. I suppose it makes little sense to worry about the no-longer-efficient-workaround situation (this ticket) and focus on ~~Bug #17611~~ anyway; my tentative heads-up might have just been some extra noise, sorry about that.

#5 Updated by anonym 2020-04-28 07:55:23

Assignee set to anonym

#6 Updated by anonym 2020-04-28 11:17:07

Status changed from Confirmed to In Progress
% Done changed from 0 to 20
Feature Branch set to feature/17610-linux-5.5+force-all-tests

I wasn’t sure if we want this in 4.6 or not, but just in case I based my work on stable. That meant I had to bump the debian APT snapshot (2020032503 → 2020041901) which results in these differences compared to a recent build from stable:

b43-fwcutter 1:019-4 → 1:019-5 firmware-b43-installer 1:019-4 → 1:019-5 firmware-b43legacy-installer 1:019-4 → 1:019-5 linux-image-* 5.4.19-1 → 5.5.17-1 torbrowser-launcher 0.3.2-7 → 0.3.2-9 virtualbox-guest-dkms-dummy 6.1.4-dfsg-2+tails.fake1 → 6.1.6-dfsg-2+tails.fake1 virtualbox-guest-utils 6.1.4-dfsg-2 → 6.1.6-dfsg-2 virtualbox-guest-x11 6.1.4-dfsg-2 → 6.1.6-dfsg-2 webext-ublock-origin 1.22.2+dfsg-1 → 1.22.2+dfsg-2 wireless-regdb 2016.06.10-1 → 2019.06.03-3

Doesn’t look so bad, so I think we indeed could consider this for 4.6.

However, the torbrowser-launcher bump means that we get affected by Bug #17612 so this branch will FTBFS, so we would have to fix that in 4.6 as well (I just temporarily disabled the 01-check-for-dot-orig-files hook to be able to build, since I was just interested in the package diff). I’ll probably look on that one next any way.

@kibi, any thoughts about this?

#7 Updated by anonym 2020-04-28 14:05:43

anonym wrote:
> However, the torbrowser-launcher bump means that we get affected by Bug #17612 so this branch will FTBFS, so we would have to fix that in 4.6 as well

Done in commit:de8bd015b53bc132c97e10bf55fae201f118d067. So we just have to cherry-pick it into this branch, for example, if we target 4.6 (and then we can skip the branch I submitted to Bug #17612 since this ticket’s branch will fix devel once merged into stable and then stable into devel).

As long as testing of this branch is fine I don’t see any clear blocker against including this in Tails 4.6. It’s just a bit tight timing-wise as we’ll not see too much testing of this new kernel until the release date, in just a week.

#8 Updated by anonym 2020-04-28 14:11:43

anonym wrote:
> anonym wrote:
> > However, the torbrowser-launcher bump means that we get affected by Bug #17612 so this branch will FTBFS, so we would have to fix that in 4.6 as well
>
> Done in commit:de8bd015b53bc132c97e10bf55fae201f118d067. So we just have to cherry-pick it into this branch, for example, if we target 4.6 (and then we can skip the branch I submitted to Bug #17612 since this ticket’s branch will fix devel once merged into stable and then stable into devel).

Eh, I did this cherry-picking now, otherwise this branch won’t build and get tested. So this ticket and Bug #17612 should be reviewed at the same time, and the branch to review’n’merge depends on which branch we target:

stable: please review’n’merge this ticket’s feature/17610-linux-5.5+force-all-tests
devel: please review’n’merge Bug #17612’s bugfix/17612-torbrowser-launcher-0.3.2-9+force-all-tests

#9 Updated by CyrilBrulebois 2020-05-06 04:28:59

Target version changed from Tails_4.6 to Tails_4.7

#10 Updated by anonym 2020-05-06 09:28:49

I manually tested a build and it worked fine.

However, on the Jenkins side things don’t look good because I failed to bump the expiration date of the snapshot so the branch FTBFS. So if we want this kernel bump in a bugfix release based on stable (e.g. 4.7), we have to bump snapshots again. So I now bumped the 2020042601 snapshot of the debian archive 90 days for this possibility.

@CyrilBrulebois, I think we should aim to get Linux 5.5 into Tails 4.7, and do that by getting this merged into stable ASAP. As the (probable) RM, what do you think?

I’d like to get his moving so we can make devel build again!

#11 Updated by CyrilBrulebois 2020-05-06 14:45:06

Hey @anonym.

Sure, go ahead!

#12 Updated by CyrilBrulebois 2020-05-07 05:44:23

Speaking of bumping snapshots, I should mention the 10.4 point release is happening this week-end (the archive being updated on Saturday, 2020-05-09).

For the record, this is when most stuff is merged from buster/updates (security archive) and buster-proposed-updates (regular archive) into an updated buster (regular archive).

#13 Updated by intrigeri 2020-05-07 05:53:49

> Speaking of bumping snapshots, I should mention the 10.4 point release is happening this week-end (the archive being updated on Saturday, 2020-05-09).

Bug #17620 :)

Also, I expect Linux 5.5 will go away soon as 5.6 migrated to testing already.

#14 Updated by intrigeri 2020-05-10 18:51:36

I see the branch hasn’t built on Jenkins since 8 days, and before that it built only once, so that does not give us much data to evaluate.

I’ve read the log on this issue and I’m not sure if the fact the https://tails.boum.org/contribute/Linux_kernel/ checks are not mentioned means “you’ve checked and everything looks good” or “you did not notice the link and forgot that we now have this process”. Given we’ve set up this process after a pretty traumatic experience (upgrading a stable Tails release to a kernel version that was known, via multiple bug reports in the Debian BTS, to break Intel graphics), I would personally feel more comfortable if we were explicit about such things, so the reviewer doesn’t have to guess :)

Cheers!

#15 Updated by anonym 2020-05-11 09:22:03

intrigeri wrote:
> Also, I expect Linux 5.5 will go away soon as 5.6 migrated to testing already.

Then it’s a waste of time to aim for 5.5, right? So let’s repurpose this ticket for Linux 5.6?

> I’ve read the log on this issue and I’m not sure if the fact the https://tails.boum.org/contribute/Linux_kernel/ checks are not mentioned means “you’ve checked and everything looks good” or “you did not notice the link and forgot that we now have this process”. Given we’ve set up this process after a pretty traumatic experience (upgrading a stable Tails release to a kernel version that was known, via multiple bug reports in the Debian BTS, to break Intel graphics), I would personally feel more comfortable if we were explicit about such things, so the reviewer doesn’t have to guess :)

I followed this procedure and thought I mentioned it, but just wrote “I manually tested a build and it worked fine”, so I get why you worry! :)

Any way, I guess it was wasted and we’ll refocus on 5.6 and have to redo it.

#16 Updated by intrigeri 2020-05-11 09:29:36

> Then it’s a waste of time to aim for 5.5, right? So let’s repurpose this ticket for Linux 5.6?

This makes sense to me.

> I followed this procedure

Great :)

#17 Updated by anonym 2020-05-14 10:23:57

Subject changed from Upgrade to Linux 5.5 to Upgrade to Linux 5.6

@CyrilBrulebois, so let’s make this happen in 4.7!

#18 Updated by anonym 2020-05-14 12:51:31

Status changed from In Progress to Needs Validation
% Done changed from 20 to 50
Feature Branch changed from feature/17610-linux-5.5+force-all-tests to feature/17620-buster-10.4+force-all-tests

See Bug #17620#note-3 for details.

#19 Updated by anonym 2020-05-14 14:11:43

> * https://tails.boum.org/contribute/Linux_kernel/

Testing on my hardware worked fine! Including secure boot!

As for changes since 5.4, there seems to be issues with Intel Graphics:

OTOH, lots of similar issues were reported against 5.4, that we’re already running:

FWIW, I’ve experienced these issues on my system since I upgraded from Linux 5.3. It seems to be better in 5.6 than 5.{4,5} for me, however. This tiny anecdote seems to be in favor of doing this upgrade, FWIW.

Also, the other day (with 5.6) I had some crazy issue with PCI Express Advanced Error Reporting on my system, so it spammed my journal with gigabytes of errors so my root fs was filled and my system got so unstable I couldn’t even sudo to try to fix the situation (REISUB!). In the end I had to add pci=noaer to the kernel cmdline to disable this “advanced error reporting” from spamming my journal.

Other than this, I find it extremely hard to know what to even look for in this immense sea of data that our Kernel upgrade instructions points to. I couldn’t even find a nice way to ask Debian BTS something like “which bugs has been introduced in linux >= 5.5”, so I just searched for “5.5” and “5.6” on the huge list of all linux bugs. So I can only say: “LGTM, I guess”. I’m curious about how you approach this, @intrigeri.

Regarding security issues, I found no way to easily compare 5.4 to 5.6 since 5.4 (and even 5.5) isn’t in Debian any more, and this not included in the Debian security tracker. From what I can see, I would be surprised if 5.6 had some serious vulnerability that 5.4 isn’t affected by as well. So LGTM!

Regarding new security features, Kees hasn’t updated his blog since Linux 5.4, so let’s wait until he does.

So, yeah, LGTM, I guess. :)

#20 Updated by intrigeri 2020-05-18 08:45:28

Hi anonym,

> As for changes since 5.4, there seems to be issues with Intel Graphics:
> […]
> OTOH, lots of similar issues were reported against 5.4, that we’re already running:
> […]

> FWIW, I’ve experienced these issues on my system since I upgraded from Linux 5.3. It seems to be better in 5.6 than 5.{4,5} for me, however. This tiny anecdote seems to be in favor of doing this upgrade, FWIW.

> Also, the other day (with 5.6) I had some crazy issue with PCI Express Advanced Error Reporting on my system, so it spammed my journal with gigabytes of errors so my root fs was filled and my system got so unstable I couldn’t even sudo to try to fix the situation (REISUB!). In the end I had to add pci=noaer to the kernel cmdline to disable this “advanced error reporting” from spamming my journal.

FWIW, I see lots of similar reports on various hardware since 4+ years, so: while it’s unfortunate this regressed on your hardware, it does not look like the general problem is a new one.

> Other than this, I find it extremely hard to know what to even look for in this immense sea of data that our Kernel upgrade instructions points to.

I understand. I’m happy to improve these instructions, so the expectations are clearer. For now I’ll focus on the specific problems you’re mentioning below but if anything else in there creates this “immense sea of data” feeling, please let me know.

> I couldn’t even find a nice way to ask Debian BTS something like “which bugs has been introduced in linux >= 5.5”, so I just searched for “5.5” and “5.6” on the huge list of all linux bugs. So I can only say: “LGTM, I guess”. I’m curious about how you approach this, @intrigeri.

Yes, that’s what I’m doing too. Documented in commit:26bd72e23e8b050f3fd8dbe6608b9d09ee831aad and further improved with commit:eca4e8a58c9947a83f36236726911455b511a28e.
(Note that UDD can also output YAML and JSON, so we could write tooling to filter out bug reports with lower severity and produce whatever output we prefer.)

Also, to be clear: you noticed the “severity important or higher” part, right?

> Regarding security issues, I found no way to easily compare 5.4 to 5.6 since 5.4 (and even 5.5) isn’t in Debian any more, and this not included in the Debian security tracker. From what I can see, I would be surprised if 5.6 had some serious vulnerability that 5.4 isn’t affected by as well. So LGTM!

I’ve documented how to do that in commit:cf2f4c7c7ee7c4ec8564d15dcf11ed1d8623783b.

But I see the Debian security tracker reference got you confused, so: commit:58125c637071a00897beb79821fec5b3ba398f7f.