Xen 4.16 update for Debian Unstable
Xen 4.16 update for unstable
-
Create a salsa gitlab issue about the package update, where we will paste the result of this checklist into when we're done, for hysterical purposes. -
Look at upstream, what's in the staging-x.y branch now? -
Wait for upstream tests to succeed and for stable-x.yz to advance, see osstest messages in https://lists.xenproject.org/archives/html/xen-devel/ -
pick upstream commit that we're going to advance the packaging to -> RELEASE-4.16.2 -
choose full target version number -> 4.16.2-1 -
fetch upstream into packaging working copy -
look through new upstream changes, assemble list of XSA info for the changelog -> already in final format! see also https://xenbits.xen.org/xsa/
* Update to new upstream version [...], which also contains security fixes
for the following issues:
- x86 pv: Race condition in typeref acquisition
XSA-401 CVE-2022-26362
- x86 pv: Insufficient care with non-coherent mappings
XSA-402 CVE-2022-26363 CVE-2022-26364
- Linux disk/nic frontends data leaks
XSA-403 CVE-2022-26365 CVE-2022-33740 CVE-2022-33741 CVE-2022-33742
- x86: MMIO Stale Data vulnerabilities
XSA-404 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166
- Retbleed - arbitrary speculative code execution with return instructions
XSA-407 CVE-2022-23816 CVE-2022-23825 CVE-2022-29900
- insufficient TLB flush for x86 PV guests in shadow mode
XSA-408 CVE-2022-33745
* Note that the following XSA are not listed, because...
- XSA-405 and XSA-406 have patches for the Linux kernel.
-
create upstream/xyz tag, git tag -s upstream/4.16.2 -m "Tag current upstream stable-4.16 branch for Debian baseline" RELEASE-4.16.2^{} -
look at the current state of the packaging repo; do we have the right starting point? (like, the debian/xyz tag of previous upload) -
Switch to a work in progress branch, like wip/sid -
Do gdr new-upstream magic -> git debrebase new-upstream 4.16.2-1 -
Write the debian/changelogentry. Just look at the previous ones for formatting examples. -
Push the upstream/xyz tag and wip branch to salsa, and let gitlab-ci also build it -
Create orig.tar.whatever -> git-deborig -
Have gdr update the debian/patches stuff git-debrebase make-patches -
Do a local build -
Smoke test, e.g. reboot a physical server with it, move some domU to it, do some live migrate, some restart etc. -
Take a proper break -
Triple check debian/changelog for stupid errors -
We suddenly have lintian errors: - E: xen-utils-4.16: statically-linked-binary [usr/lib/xen-4.16/boot/hvmloader]
- E: xen-utils-4.16: statically-linked-binary [usr/lib/xen-4.16/boot/xen-shim]
- Also see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007002 it seems we have to convert the lintian overrides O_o
-
Fix #1016547 about grub-mkconfig -
Upload: dgit push-source. This will also finish the git-debrebase process. -
Merge WIP branch that is now finalized into the real branch (e.g. git checkout master; git merge wip/sid) so that whoever looks in our repo always sees something that corresponds to the current package in Debian. -
Push branch and debian/xyz tag to salsa -
Wait for ACCEPTED -
Wait for buildds to complete -
Wait for the new version to actually end up in unstable -
Move this whole section into the salsa gitlab issue and remove it here.
Edited by Hans van Kranenburg