On Mon, Mar 06, 2023 at 10:17:04PM +0100, Paul Gevers wrote:

Dear security team,

It's the time of the season to ask you to consider testing that the next security suite is working as intended. In our checklist [1] it's mentioned
to coordinate with you an upload to bookworm-security to confirm the build happens as expected. The checklist goes on to suggest a check that also a package needing signing works.

I recall Ivo and Salvatore coordinated that on IRC for bullseye although I can't find it in the logs. Can I be of any assistance?

For bookworm-security I could prepare an update for CVE-2021-26825/CVE-2021-26826,
it's fixed in sid, but the current version is blocked by FTBFS errors (#1031132).
The security fixes don't matter that much, but it would be a fine test.

For the signed infra, not sure what we used for bullseye, we could do a linux upload maybe, have it built and get signed in the private queue and then reject it?

That would test the whole signing workflow, and the release part after that is the
same as for a non-signed update. Salvatore, thoughts?

Cheers,
Moritz

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: debian-release@lists.debian.org (debian-release)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------OO257Ii07o8lKvnQLMUSAWxZ
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

RGVhciBzZWN1cml0eSB0ZWFtLA0KDQpJdCdzIHRoZSB0aW1lIG9mIHRoZSBzZWFzb24gdG8g YXNrIHlvdSB0byBjb25zaWRlciB0ZXN0aW5nIHRoYXQgdGhlIG5leHQgDQpzZWN1cml0eSBz dWl0ZSBpcyB3b3JraW5nIGFzIGludGVuZGVkLiBJbiBvdXIgY2hlY2tsaXN0IFsxXSBpdCdz IA0KbWVudGlvbmVkIHRvIGNvb3JkaW5hdGUgd2l0aCB5b3UgYW4gdXBsb2FkIHRvIGJvb2t3 b3JtLXNlY3VyaXR5IHRvIA0KY29uZmlybSB0aGUgYnVpbGQgaGFwcGVucyBhcyBleHBlY3Rl ZC4gVGhlIGNoZWNrbGlzdCBnb2VzIG9uIHRvIHN1Z2dlc3QgDQphIGNoZWNrIHRoYXQgYWxz byBhIHBhY2thZ2UgbmVlZGluZyBzaWduaW5nIHdvcmtzLg0KDQpJIHJlY2FsbCBJdm8gYW5k IFNhbHZhdG9yZSBjb29yZGluYXRlZCB0aGF0IG9uIElSQyBmb3IgYnVsbHNleWUgYWx0aG91 Z2ggDQpJIGNhbid0IGZpbmQgaXQgaW4gdGhlIGxvZ3MuIENhbiBJIGJlIG9mIGFueSBhc3Np c3RhbmNlPw0KDQpQYXVsDQoNClsxXSANCmh0dHBzOi8vd2lraS5kZWJpYW4ub3JnL1RlYW1z L1JlbGVhc2VUZWFtL1JlbGVhc2VDaGVja0xpc3QvQm9va3dvcm1DaGVja0xpc3QNCg==

--------------OO257Ii07o8lKvnQLMUSAWxZ--

-----BEGIN PGP SIGNATURE-----

wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmQGWFAFAwAAAAAACgkQnFyZ6wW9dQo8 2Af/czDoCoAGE+6K//RNC1e48q0Gx+MtrG9TGTqYK9Bs91KJjmvZzWNTC47X/UfljT7ujivcInvg ZhGXoJSPd5xCNsHShVVljYVS6loQt2xcaP4FEAx75IzQlcu9OG15NDzVJrOS0UgGY77PtqMPHIVE byNQr7fexQK23XB197VQ8wEAiNu1xpAHoJwRQsdyHlr5xYWHTb1q9kl2yHR1FgvEQgiu/IFI78wm nBFSta8hbUiPpU7tDuXFNvUPR+TJMnhFH0EkeYrs6Rgb1v8rk8aoWwsIY6tD674YL41FjJ8Qjtam aYz6xWY4CR7S2yxD3t6YqG1Mx+CDn8rJmp3BLV9dPw==
=55gn
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Moritz,

On Mon, Mar 06, 2023 at 10:37:07PM +0100, Moritz Muehlenhoff wrote:

On Mon, Mar 06, 2023 at 10:17:04PM +0100, Paul Gevers wrote:

Dear security team,

It's the time of the season to ask you to consider testing that the next security suite is working as intended. In our checklist [1] it's mentioned to coordinate with you an upload to bookworm-security to confirm the build happens as expected. The checklist goes on to suggest a check that also a package needing signing works.

I recall Ivo and Salvatore coordinated that on IRC for bullseye although I can't find it in the logs. Can I be of any assistance?

For bookworm-security I could prepare an update for CVE-2021-26825/CVE-2021-26826,
it's fixed in sid, but the current version is blocked by FTBFS errors (#1031132).
The security fixes don't matter that much, but it would be a fine test.

For the signed infra, not sure what we used for bullseye, we could do a linux upload maybe, have it built and get signed in the private queue and then reject it?

That would test the whole signing workflow, and the release part after that is the
same as for a non-signed update. Salvatore, thoughts?

We can do this time as you proposed, so a full cycle with up to dak new-security-install for godot, and for the signed package one just
go through all steps until we have all packages in embargoed queues,
and then reject.

If we see buildd do not pick correctly up the bookworm-security builds
then we need to involve ftp-master and buildd people.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Tue, Mar 07, 2023 at 10:50:10AM +0100, Salvatore Bonaccorso wrote:

Hi Moritz,

On Mon, Mar 06, 2023 at 10:37:07PM +0100, Moritz Muehlenhoff wrote:

On Mon, Mar 06, 2023 at 10:17:04PM +0100, Paul Gevers wrote:

Dear security team,

It's the time of the season to ask you to consider testing that the next security suite is working as intended. In our checklist [1] it's mentioned
to coordinate with you an upload to bookworm-security to confirm the build
happens as expected. The checklist goes on to suggest a check that also a package needing signing works.

I recall Ivo and Salvatore coordinated that on IRC for bullseye although I
can't find it in the logs. Can I be of any assistance?

For bookworm-security I could prepare an update for CVE-2021-26825/CVE-2021-26826,
it's fixed in sid, but the current version is blocked by FTBFS errors (#1031132).
The security fixes don't matter that much, but it would be a fine test.

For the signed infra, not sure what we used for bullseye, we could do a linux
upload maybe, have it built and get signed in the private queue and then reject it?

That would test the whole signing workflow, and the release part after that is the
same as for a non-signed update. Salvatore, thoughts?

We can do this time as you proposed, so a full cycle with up to dak new-security-install for godot, and for the signed package one just
go through all steps until we have all packages in embargoed queues,
and then reject.

Btw, as i forgot to mention in above reply: we last time used fwupd as
more lightweight variant of a signed package, instead of a big hammer
with src:linux. Indeed there were on dak side fixes like https://salsa.debian.org/ftp-team/code-signing/-/commit/20fbebb2705386b39783de51e277b08da6468e37
and https://salsa.debian.org/ftp-team/code-signing/-/commit/049ae606d0e61b8b0bdef299e142a6a81379c768
(because the archive side because of the naming scheme change for
security archive).

This won't be necessary anymore, but now I wonder if the
non-free-firmware part is covered (in case ever will need e.g. a intel-microcode DSA).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi FTP-masters,

On Tue, Mar 07, 2023 at 11:07:44AM +0100, Salvatore Bonaccorso wrote:

Hi,

On Tue, Mar 07, 2023 at 10:50:10AM +0100, Salvatore Bonaccorso wrote:

Hi Moritz,

On Mon, Mar 06, 2023 at 10:37:07PM +0100, Moritz Muehlenhoff wrote:

On Mon, Mar 06, 2023 at 10:17:04PM +0100, Paul Gevers wrote:

Dear security team,

It's the time of the season to ask you to consider testing that the next
security suite is working as intended. In our checklist [1] it's mentioned
to coordinate with you an upload to bookworm-security to confirm the build
happens as expected. The checklist goes on to suggest a check that also a
package needing signing works.

I recall Ivo and Salvatore coordinated that on IRC for bullseye although I
can't find it in the logs. Can I be of any assistance?

For bookworm-security I could prepare an update for CVE-2021-26825/CVE-2021-26826,
it's fixed in sid, but the current version is blocked by FTBFS errors (#1031132).
The security fixes don't matter that much, but it would be a fine test.

For the signed infra, not sure what we used for bullseye, we could do a linux
upload maybe, have it built and get signed in the private queue and then reject it?

That would test the whole signing workflow, and the release part after that is the
same as for a non-signed update. Salvatore, thoughts?

We can do this time as you proposed, so a full cycle with up to dak new-security-install for godot, and for the signed package one just
go through all steps until we have all packages in embargoed queues,
and then reject.

Btw, as i forgot to mention in above reply: we last time used fwupd as
more lightweight variant of a signed package, instead of a big hammer
with src:linux. Indeed there were on dak side fixes like https://salsa.debian.org/ftp-team/code-signing/-/commit/20fbebb2705386b39783de51e277b08da6468e37
and https://salsa.debian.org/ftp-team/code-signing/-/commit/049ae606d0e61b8b0bdef299e142a6a81379c768
(because the archive side because of the naming scheme change for
security archive).

This won't be necessary anymore, but now I wonder if the
non-free-firmware part is covered (in case ever will need e.g. a intel-microcode DSA).

We made a test upload targeting bookworm-security with a package which
will migrate in some days anyway to bookworm, but still fixing a
security issue.

python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master
as source only upload, the upload got rejected with:

| Source-only uploads to NEW are not allowed.
|
| binary:python-cryptography-doc is NEW.
| binary:python3-cryptography is NEW.
| source:python-cryptography is NEW.

Can you have a look? Is something yet missing to habe the
bookworm-security suite up and running for security-master?

Once this is accepted, and packages build we will try to as well
install it into the archive. Following that a test upload involving a
package needing the code-signing service will be done as well (though
skipping the install step later likely).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Salvatore Bonaccorso writes:

python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master
as source only upload, the upload got rejected with:

| Source-only uploads to NEW are not allowed.

There were two issues:

- The override sync from ftp-master to security-master was not handling
the fancy new `-security` addition to suite names.

- `bookworm-security` was still configured to not accept any uploads
(as was done when the suite was created to prevent accidental
uploads).

Both issues are now solved and the python-cryptography source upload was processed successfully.

Ansgar

-----BEGIN PGP SIGNATURE-----

iIgEARYKADAWIQR3hZU8YXPYylUJRxfDof4h+X+qzwUCZAklVRIcYW5zZ2FyQGRl Ymlhbi5vcmcACgkQw6H+Ifl/qs+0aAD/RISdryEWMt3dT/5xwtOlnEhN3srh4r1p BIs6TZYavhUA/RUoIBJpmcb//gRrAcqnHaZyENCHf+fPa9w9oCDt8awI
=agQ7
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Ansgar,

[Adding debian-wb-team@lists.debian.org list]

On Thu, Mar 09, 2023 at 01:16:21AM +0100, Ansgar wrote:

Hi,

Salvatore Bonaccorso writes:

python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master
as source only upload, the upload got rejected with:

| Source-only uploads to NEW are not allowed.

There were two issues:

- The override sync from ftp-master to security-master was not handling
the fancy new `-security` addition to suite names.

- `bookworm-security` was still configured to not accept any uploads
(as was done when the suite was created to prevent accidental
uploads).

Both issues are now solved and the python-cryptography source upload was processed successfully.

Thank you for addressing both. I can confirm we have now partially
builds on the embargoed queue.

From what I see there are the mipsel and mips64el builds missing and

according to a quick chat with Adam on IRC it is not that they are yet
just missing because of buildd overloaded. Actually bookworm-security
seems not yet configured to be handled by mipsel and mips64el buildds.

Wanna-build team, can you have a look and check the mipsel, mips64el
status (and actually if we are setup complete as well on buildd setup
for bookworm-security)?

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Thu, Mar 09, 2023 at 11:35:46AM +0100, Salvatore Bonaccorso wrote:

Hi Ansgar,

[Adding debian-wb-team@lists.debian.org list]

On Thu, Mar 09, 2023 at 01:16:21AM +0100, Ansgar wrote:

Hi,

Salvatore Bonaccorso writes:

python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master
as source only upload, the upload got rejected with:

| Source-only uploads to NEW are not allowed.

There were two issues:

- The override sync from ftp-master to security-master was not handling
the fancy new `-security` addition to suite names.

- `bookworm-security` was still configured to not accept any uploads
(as was done when the suite was created to prevent accidental
uploads).

Both issues are now solved and the python-cryptography source upload was processed successfully.

Thank you for addressing both. I can confirm we have now partially
builds on the embargoed queue.

FTR, Steve as well uploaded src:shim to test the code signing
involving path, and looks fine AFAICS. To Steve's request we will
though not install those packages, so reject them from the embargoed
queues.

From what I see there are the mipsel and mips64el builds missing and according to a quick chat with Adam on IRC it is not that they are yet
just missing because of buildd overloaded. Actually bookworm-security
seems not yet configured to be handled by mipsel and mips64el buildds.

Wanna-build team, can you have a look and check the mipsel, mips64el
status (and actually if we are setup complete as well on buildd setup
for bookworm-security)?

This one would still need to be checked, looping in as well Debian
Build Daemon team alias. Buildd admins, chan you have a look? I still
would like to install for real python-crytpography, though we have
missed the window to do it earlier than the -3 upload migrated to
testing. It still should work I think. Otherwise we will do then
another test with another package.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 2023-03-10 16:55, Salvatore Bonaccorso wrote:

Hi,

On Thu, Mar 09, 2023 at 11:35:46AM +0100, Salvatore Bonaccorso wrote:

Hi Ansgar,

[Adding debian-wb-team@lists.debian.org list]

On Thu, Mar 09, 2023 at 01:16:21AM +0100, Ansgar wrote:

Hi,

Salvatore Bonaccorso writes:

python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master
as source only upload, the upload got rejected with:

| Source-only uploads to NEW are not allowed.

There were two issues:

- The override sync from ftp-master to security-master was not handling
the fancy new `-security` addition to suite names.

- `bookworm-security` was still configured to not accept any uploads
(as was done when the suite was created to prevent accidental
uploads).

Both issues are now solved and the python-cryptography source upload was processed successfully.

Thank you for addressing both. I can confirm we have now partially
builds on the embargoed queue.

FTR, Steve as well uploaded src:shim to test the code signing
involving path, and looks fine AFAICS. To Steve's request we will
though not install those packages, so reject them from the embargoed
queues.

From what I see there are the mipsel and mips64el builds missing and according to a quick chat with Adam on IRC it is not that they are yet
just missing because of buildd overloaded. Actually bookworm-security
seems not yet configured to be handled by mipsel and mips64el buildds.

Wanna-build team, can you have a look and check the mipsel, mips64el
status (and actually if we are setup complete as well on buildd setup
for bookworm-security)?

Sorry to not have looked that earlier. Indeed none of the mips*el
buildds were configured to build bookworm-security. I have enabled it on
two buildds for now, but this has to be done for all buildds. We also
need to check that it is the case for the other architectures. I have no
time now, I'll keep you updated once done, but in the meantime you
should be able to do tests with more packages.

This one would still need to be checked, looping in as well Debian
Build Daemon team alias. Buildd admins, chan you have a look? I still
would like to install for real python-crytpography, though we have
missed the window to do it earlier than the -3 upload migrated to
testing. It still should work I think. Otherwise we will do then
another test with another package.

python-cryptography has now been uploaded on both mipsel and mips64el.

Aurelien
--
Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Aurelien,

On Fri, Mar 10, 2023 at 05:59:08PM +0100, Aurelien Jarno wrote:

Hi,

On 2023-03-10 16:55, Salvatore Bonaccorso wrote:

Hi,

On Thu, Mar 09, 2023 at 11:35:46AM +0100, Salvatore Bonaccorso wrote:

Hi Ansgar,

[Adding debian-wb-team@lists.debian.org list]

On Thu, Mar 09, 2023 at 01:16:21AM +0100, Ansgar wrote:

Hi,

Salvatore Bonaccorso writes:

python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master as source only upload, the upload got rejected with:

| Source-only uploads to NEW are not allowed.

There were two issues:

- The override sync from ftp-master to security-master was not handling
the fancy new `-security` addition to suite names.

- `bookworm-security` was still configured to not accept any uploads
(as was done when the suite was created to prevent accidental
uploads).

Both issues are now solved and the python-cryptography source upload was
processed successfully.

Thank you for addressing both. I can confirm we have now partially
builds on the embargoed queue.

FTR, Steve as well uploaded src:shim to test the code signing
involving path, and looks fine AFAICS. To Steve's request we will
though not install those packages, so reject them from the embargoed queues.

From what I see there are the mipsel and mips64el builds missing and according to a quick chat with Adam on IRC it is not that they are yet just missing because of buildd overloaded. Actually bookworm-security seems not yet configured to be handled by mipsel and mips64el buildds.

Wanna-build team, can you have a look and check the mipsel, mips64el status (and actually if we are setup complete as well on buildd setup
for bookworm-security)?

Sorry to not have looked that earlier. Indeed none of the mips*el
buildds were configured to build bookworm-security. I have enabled it on
two buildds for now, but this has to be done for all buildds. We also
need to check that it is the case for the other architectures. I have no
time now, I'll keep you updated once done, but in the meantime you
should be able to do tests with more packages.

This one would still need to be checked, looping in as well Debian
Build Daemon team alias. Buildd admins, chan you have a look? I still
would like to install for real python-crytpography, though we have
missed the window to do it earlier than the -3 upload migrated to
testing. It still should work I think. Otherwise we will do then
another test with another package.

python-cryptography has now been uploaded on both mipsel and mips64el.

Thanks, confirmed the two bulds arrived as well.

Paul and release team, here is a summary: so I think we can confirm
that the bookworm-security side of things works now (modulo the above
checking by Aurelien). We did:

Test python-cryptography upload as rebuild of the one uploaded to
unstable, as it was near to the migration time and to be superseeded
anyway. This happened before we were able to install. But the on all
release archictecures we had builds triggered (after Ansgar as well
did adjust security-master side of things). After the packages got
sucessfully built we did install it into the security archive. it is
available there. The package got rejected to be accepted in testing-proposed-updates in the following due to the 38.0.4-3 already
been migrated to testing.

Steve uploaded src:shim samewise to bookworm-security, involving the code-singing part. This went fine as well, we rejected the packages
from the embargoed queues afterwards.

A third test was done with libtmps which had a security fix in
unstable, but not yet migrated to testing. 0.9.2-3.1~deb12u1 got built
every where and installing it in the security-archive was sucessful.
The following step to sync int to testing-proposed-updates worked as
well, it is now there:

libtpms | 0.9.2-3~bpo11+1 | bullseye-backports | source libtpms | 0.9.2-3~bpo11+1 | bullseye-backports-debug | source libtpms | 0.9.2-3 | testing | source libtpms | 0.9.2-3.1~deb12u1 | buildd-testing-proposed-updates | source libtpms | 0.9.2-3.1~deb12u1 | testing-proposed-updates | source libtpms | 0.9.2-3.1~deb12u1 | testing-proposed-updates-debug | source libtpms | 0.9.2-3.1 | unstable | source libtpms | 0.9.2-3.1 | unstable-debug | source

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On 2023-03-10 23:11, Salvatore Bonaccorso wrote:

Hi Aurelien,

On Fri, Mar 10, 2023 at 05:59:08PM +0100, Aurelien Jarno wrote:

Hi,

On 2023-03-10 16:55, Salvatore Bonaccorso wrote:

Hi,

On Thu, Mar 09, 2023 at 11:35:46AM +0100, Salvatore Bonaccorso wrote:

Hi Ansgar,

[Adding debian-wb-team@lists.debian.org list]

On Thu, Mar 09, 2023 at 01:16:21AM +0100, Ansgar wrote:

Hi,

Salvatore Bonaccorso writes:

python-cryptography/38.0.4-3~deb12u1 was uploaded to security-master
as source only upload, the upload got rejected with:

| Source-only uploads to NEW are not allowed.

There were two issues:

- The override sync from ftp-master to security-master was not handling
the fancy new `-security` addition to suite names.

- `bookworm-security` was still configured to not accept any uploads
(as was done when the suite was created to prevent accidental
uploads).

Both issues are now solved and the python-cryptography source upload was
processed successfully.

Thank you for addressing both. I can confirm we have now partially builds on the embargoed queue.

FTR, Steve as well uploaded src:shim to test the code signing
involving path, and looks fine AFAICS. To Steve's request we will
though not install those packages, so reject them from the embargoed queues.

From what I see there are the mipsel and mips64el builds missing and according to a quick chat with Adam on IRC it is not that they are yet just missing because of buildd overloaded. Actually bookworm-security seems not yet configured to be handled by mipsel and mips64el buildds.

Wanna-build team, can you have a look and check the mipsel, mips64el status (and actually if we are setup complete as well on buildd setup for bookworm-security)?

Sorry to not have looked that earlier. Indeed none of the mips*el
buildds were configured to build bookworm-security. I have enabled it on two buildds for now, but this has to be done for all buildds. We also
need to check that it is the case for the other architectures. I have no time now, I'll keep you updated once done, but in the meantime you
should be able to do tests with more packages.

This one would still need to be checked, looping in as well Debian
Build Daemon team alias. Buildd admins, chan you have a look? I still would like to install for real python-crytpography, though we have
missed the window to do it earlier than the -3 upload migrated to testing. It still should work I think. Otherwise we will do then
another test with another package.

python-cryptography has now been uploaded on both mipsel and mips64el.

Thanks, confirmed the two bulds arrived as well.

Paul and release team, here is a summary: so I think we can confirm
that the bookworm-security side of things works now (modulo the above checking by Aurelien). We did:

I have checked and updated the buildds config. We now have all bookworm
suites enabled consistently across all the buildds.

Aurelien

--
Aurelien Jarno GPG: 4096R/1DDD8C9B aurelien@aurel32.net http://www.aurel32.net

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)