Better living through software

Ben Hutchings's diary of life and technology

Email: ben@decadent.org.uk • Twitter: @benhutchingsuk • Debian: benh • Gitweb: git.decadent.org.uk • Github: github.com/bwhacks

Tue, 10 May 2022

Debian LTS work, April 2022

In April I was assigned 16 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from March. I worked 11 hours, and will carry over the remaining time to May.

I spent most of my time triaging security issues for Linux, working out which of them were fixed upstream and which actually applied to the versions provided in Debian 9 "stretch". I also rebased the Linux 4.9 (linux) package on the latest stable update, but did not make an upload this month.

posted at: 23:41 | path: / | permanent link to this entry

Mon, 04 Apr 2022

Debian LTS work, March 2022

In March I was assigned 16 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from February. I worked 16 hours, and will carry over the remaining time to April.

I backported the mitigations for Spectre-BHB (CVE-2022-0001, CVE-2022-0002) on x86 processors, to Linux 4.9. I worked together with Salvatore Bonaccorso in preparing the kernel updates that were needed in all suites, and writing advisory text. I uploaded both the linux (4.9) and linux-4.19 packages to stretch, and issued DLA-2940-1 and DLA-2941-1.

I also triaged new issues that were reported later in the month.

posted at: 21:34 | path: / | permanent link to this entry

Wed, 02 Mar 2022

Debian LTS work, February 2022

In February I was assigned 16 hours of work by Freexian's Debian LTS initiative and carried over 8 hours from January. I worked 16 hours, and will carry over the remaining time to March.

I spent most of my time triaging security issues for Linux, working out which of them were fixed upstream and which actually applied to the versions provided in Debian 9 "stretch". I also rebased the Linux 4.9 (linux) package on the latest stable update, but did not make an upload this month.

posted at: 16:04 | path: / | permanent link to this entry

Wed, 02 Feb 2022

CI for the Debian kernel team

Starting just after Christmas, I have been working on CI for all the kernel team's packages on Salsa. The salsa-ci-team has done great work on producing a common pipeline that is usable for most packages with minimal configuration. However, for some packages a lot more work was required.

Linux

I started with the most important package, linux itself. This now has about 1.1 GiB of source spread over 76,000 source files. That turns out to be a problem for the pipeline which currently puts unpacked source in artifacts - it is far beyond the limits of what Salsa allows. I worked around this by using a modified version of the extract-source and build jobs that use packed source package as the artifacts. The output of the build job is compatible with the common test jobs.

The linux package also takes a lot of resources to build; around 80 minutes on the fastest PC I have at home (if ccache is not primed). Salsa's shared CI runners seem to be about 10 times slower than that, so it is completely unfeasible to even one full build in CI. Instead I defined a new build profile that includes only the smallest kernel configuration, without debug info, and the user-space packages. This still takes over an hour with the Salsa CI runners, but I don't think we can improve this much without losing a lot of code coverage.

Our Git repository for linux also does not contain the upstream source, so the extract-source job has to fetch that. The common extract-source job uses origtargz to do that, and in case the orig tarball is not already in the archive this will run uscan. That led me to a new problem: our debian/watch file could only find tarballs linked from the front of www.kernel.org, and we're sometimes working with different upstream versions. There is actually no single page listing all tarball releases of Linux, and tarballs for release candidates are dynamically generated by CGit and unsigned. So I changed debian/watch to fetch from Git, which is what we were already doing with our own genorig.py script.

Unfortunately, running uscan against a Git upstream, with some files excluded (as there are still a few upstream files we consider non-free), is about twice as slow as it could be. Since I had to modify the extract-source job anyway, I've continued using genorig.py there.

A full build log for linux is over 200 MiB, and even with the reduced build profile it would be much longer than Salsa's limit of 2 4 MiB. I therefore opted to use the 'terse' build option (which translates to V=0), but made the builds of user-space tools ignore this option so that blhc could still do its work. (The kernel itself cannot use the same hardening options, so blhc is not useful there.)

Finally, with the CI pipeline running, blhc and lintian showed a lot of problems that we hadn't been attending to. I've fixed all the blhc errors (with some careful suppressions), all the lintian errors, and the most straightforward lintian warnings.

firmware-nonfree

The firmware-nonfree package also has huge "source" (about 560 MB) and needed some of the same modifications, but is quick to build so did not require a special build profile.

Running lintian over firmware-nonfree reminded me that I needed to sort out the unsuual and inconistent handling of machine-readable copyright information in this source package. I had already done most of that work on a private branch in 2020, so this is mostly ready but I still need to resolve a licensing issue with AppStream metadata.

Other packages

For kernel-handbook, there was already a trivial "CI" pipeline used to push static pages to the web site. I've replaced this with the common pipeline plus a job that will push the pages from each build on the master branch.

For everything else, it was straightforward to enable the common pipeline with a little bit of configuration.

posted at: 02:13 | path: / | permanent link to this entry

Debian LTS work, January 2022

In January I was assigned 24 hours of work by Freexian's Debian LTS initiative. I worked 16 hours, and will carry over the remaining time to February.

I sent various backported security fixes for Linux to the stable mailing list, and they have been included in subsequent stable releases. I rebased the linux package on the latest 4.9-stable release, but did not yet upload it.

posted at: 00:44 | path: / | permanent link to this entry