Project

General

Profile

Feature #14728

Track security updates during the Tails code freeze

Added by anonym 12 months ago. Updated about 1 month ago.

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
09/26/2017
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Research
Blueprint:
Starter:
Affected tool:

Description

This affects:

  1. packages we install from others dists than Debian stable, e.g. from Debian testing or Debian sid. A good example of the problem is the linux kernel which we install from sid; for instance, at the time of the 3.2 freeze we got linux 4.12.12-2, but in the middle of the freeze linux 4.12.13-1 was uploaded to sid, and it was not noticed until the final 3.2 was built so we missed out on several security updates.
  2. packages we override with our custom APT repo, see e.g. #14729 for one instance of this problem

Related issues

Related to Tails - Bug #14729: Fix gdk-pixbuf vulnerability (CVE-2017-2862) Resolved 09/26/2017
Related to Tails - Feature #15524: Iteration 1: Write release process documentation for custom packages Confirmed 04/11/2018

History

#1 Updated by intrigeri 12 months ago

  • Related to Bug #14729: Fix gdk-pixbuf vulnerability (CVE-2017-2862) added

#2 Updated by intrigeri 12 months ago

  • Subject changed from Improve tracking of security updates during the freeze to Track security updates during the Tails code freeze
  • Description updated (diff)

#3 Updated by anonym 12 months ago

The comment #14729#note-4 is relevant here. In particular, I believe the solution our security tracking woes is to automate it.

#4 Updated by intrigeri 12 months ago

A short-term, trivial fix would be to:

#5 Updated by anonym 10 months ago

  • Target version changed from Tails_3.3 to Tails_3.5

#6 Updated by anonym 8 months ago

  • Target version changed from Tails_3.5 to Tails_3.6

#7 Updated by anonym 7 months ago

  • Target version changed from Tails_3.6 to Tails_3.7

#8 Updated by intrigeri 6 months ago

Regarding the 1st problem: check the list of packages upgraded between a build from our frozen release branch (stable or testing) and a build from a devel branch (that's unfrozen).

Regarding the 2nd problem: check if any included package has a smaller version that in Debian stable + security. E.g. use the same API as rmadison uses to query the Debian archive.

#9 Updated by intrigeri 5 months ago

  • Target version changed from Tails_3.7 to Tails_3.8

#10 Updated by intrigeri 4 months ago

  • Target version changed from Tails_3.8 to Tails_3.10

#11 Updated by u about 1 month ago

  • Assignee changed from anonym to intrigeri

I'm tentatively reassigning this to FT so you can decide what to do with this ticket.

#12 Updated by intrigeri about 1 month ago

  • Assignee changed from intrigeri to anonym

I'm tentatively reassigning this to FT so you can decide what to do with this ticket.

I'd rather leave such tickets assigned to anonym for now so they stand out as something that needs to be shared differently and reassigned, which will make it easier for our team to organize.

#13 Updated by intrigeri 10 days ago

  • Related to Feature #15524: Iteration 1: Write release process documentation for custom packages added

Also available in: Atom PDF