Xen 4.16 update for Debian Unstable

Xen 4.16 update for unstable

  • Create a salsa gitlab issue about the package update, where we will paste the result of this checklist into when we're done, for hysterical purposes.
  • Look at upstream, what's in the staging-x.y branch now?
  • Wait for upstream tests to succeed and for stable-x.yz to advance, see osstest messages in https://lists.xenproject.org/archives/html/xen-devel/
  • pick upstream commit that we're going to advance the packaging to -> RELEASE-4.16.2
  • choose full target version number -> 4.16.2-1
  • fetch upstream into packaging working copy
  • look through new upstream changes, assemble list of XSA info for the changelog -> already in final format! see also https://xenbits.xen.org/xsa/
  * Update to new upstream version [...], which also contains security fixes
    for the following issues:
    - x86 pv: Race condition in typeref acquisition
      XSA-401 CVE-2022-26362
    - x86 pv: Insufficient care with non-coherent mappings
      XSA-402 CVE-2022-26363 CVE-2022-26364
    - Linux disk/nic frontends data leaks
      XSA-403 CVE-2022-26365 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742
    - x86: MMIO Stale Data vulnerabilities
      XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166
    - Retbleed - arbitrary speculative code execution with return instructions
      XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
    - insufficient TLB flush for x86 PV guests in shadow mode
      XSA-408 CVE-2022-33745
  * Note that the following XSA are not listed, because...
    - XSA-405 and XSA-406 have patches for the Linux kernel.
  • create upstream/xyz tag, git tag -s upstream/4.16.2 -m "Tag current upstream stable-4.16 branch for Debian baseline" RELEASE-4.16.2^{}
  • look at the current state of the packaging repo; do we have the right starting point? (like, the debian/xyz tag of previous upload)
  • Switch to a work in progress branch, like wip/sid
  • Do gdr new-upstream magic -> git debrebase new-upstream 4.16.2-1
  • Write the debian/changelog entry. Just look at the previous ones for formatting examples.
  • Push the upstream/xyz tag and wip branch to salsa, and let gitlab-ci also build it
  • Create orig.tar.whatever -> git-deborig
  • Have gdr update the debian/patches stuff git-debrebase make-patches
  • Do a local build
  • Smoke test, e.g. reboot a physical server with it, move some domU to it, do some live migrate, some restart etc.
  • Take a proper break
  • Triple check debian/changelog for stupid errors
  • We suddenly have lintian errors:
  • Fix #1016547 about grub-mkconfig
  • Upload: dgit push-source. This will also finish the git-debrebase process.
  • Merge WIP branch that is now finalized into the real branch (e.g. git checkout master; git merge wip/sid) so that whoever looks in our repo always sees something that corresponds to the current package in Debian.
  • Push branch and debian/xyz tag to salsa
  • Wait for ACCEPTED
  • Wait for buildds to complete
  • Wait for the new version to actually end up in unstable
  • Move this whole section into the salsa gitlab issue and remove it here.
Edited by Hans van Kranenburg