In unstable, linux-image-*-unsigned packages and any corresponding
metapackage updates tend to be available a few hours before the
corresponding signed packages. An automatic upgrade with aptitude (at
least) may then install the unsigned kernel where a signed kernel
was previously used, resulting in boot failure.
I gave the linux-image-*-unsigned packages a Provides relation to the
unsuffixed (i.e. signed) package name because I thought packages built
by module-assistant generally depended on the corresponding kernel
package. That may have been true once but doesn't appear to be so
now.
So the Provides field can be harmful and doesn't appear to be useful,
and should be removed.
The current check has never worked because the find -path predicate
matches against the whole path, including the given root. In this
case that is $DESTDIR which always includes the version string.
Change to use cd before find.
Also, check all non-directories rather than all entries with "perf" in
the name.
Backport Amazon ENA ethernet driver version 2.0.2 from Linux 4.20
This mostly ammounts to cherry-picking the commits in the range described by
git log v4.19.5..v4.20-rc7 drivers/net/ethernet/amazon
Change e641e99f261f5203a911a9e0db54a214460d2cc4 introduced changes outside the
ena directory, but only removed a redundant #include and was trivial to scope
down.
Upstream dealt with merge conflicts in
d864991b220b7c62e81d21209e1fd978fd67352c; the resolution here was identical to
upstream.
tl;dr: Xen PVH is the perfect upgrade path from PV and in combination
with grub2 support, it's the Xen "killer feature" we really should have
in Buster.
Background info about Xen PVH:
https://wiki.xen.org/wiki/Virtualization_Spectrum#Almost_fully_PV:_PVH_mode
PVH mode in Xen, a.k.a. "HVM without having to run qemu" is a Xen guest
type best supported since Xen 4.11 and Linux kernel 4.17. Just like when
using PV mode, the guest does not have an emulated BIOS and the guest
kernel is directly started by the dom0. Buster will ship with Xen 4.11.
Why is PVH interesting?
1. When the whole Meltdown/Spectre story started, it quickly became
apparent that 64-bit PV is the most problematic virtualization mode to
protect and to protect from, since address space from the hypervisor and
other guests (including dom0) is reachable from a 64-bit PV domU. To
mitigate this, XPTI (the Xen variant of PTI) has been implemented in the
hypervisor, but with a performance hit. HVM (so, also PVH) guests are
better isolated from the hypervisor and other guests. Inside the guest a
choice can be made about which mitigations to enable or not. Also see
https://xenbits.xen.org/xsa/advisory-254.html
2. Unlike HVM, it's not needed to have a boot loader/sector, partitions,
and a qemu process in the dom0 (using cpu and memory and having an
attack surface). Also, when running a largeish amount of domUs on a
physical server, not having all the qemu processes is an advantage.
3. Unlike PV, PVH makes use of all hardware features that accelerate
virtualization.
The upgrade path from PV to PVH is super optimal. It's just setting
type='pvh' in the guest file and doing a full restart of the domU!
Unless... (insert Monty Python's Dramatic Chord!)
Unless... grub2 was used to boot the PV guests.
Why is it interesting to be able to use grub?
Without using grub in between, the guest kernel and initrd have to be
copied out of the guest onto the dom0 filesystem, because the guest has
to be booted with them directly. Currently, we already have the
grub-xen packages in Debian, which provide grub images which can be used
as kernel for a PV guest, after which it can load the actual linux
kernel that is symlinked from /vmlinuz on the guest filesystem at that
moment.
The final changes to the Linux kernel for grub+PVH are in Linux 4.20.
This request, to carry a few patches from Linux 4.20, provides one half
of the dots that need to be connected to make the full thing happen for
Buster.
Since we'll have Xen 4.11 in Buster, PVH is supported. The related grub2
patchset was committed to the grub master branch on Dec 12 2018 (yup,
today). So, I'll also start contacting the debian grub team soon to ask
(and help) to get the current grub-xen functionality in Debian to be
extended with PVH capabilities as well.
Test reports:
https://lists.xenproject.org/archives/html/xen-devel/2018-10/msg01913.htmlhttps://lists.xenproject.org/archives/html/xen-devel/2018-11/msg03312.html
Permit overlayfs mounts within user namespaces to allow utilisation of e.g.
unprivileged LXC overlay snapshots.
Except by the Ubuntu community [1], overlayfs mounts in user namespaces are
expected to be a security risk [2] and thus are not enabled on upstream
Linux kernels. For the non-Ubuntu users that have to stick to unprivileged
overlay-based LXCs, this meant to patch and compile the kernel manually.
Instead, adding the kernel tainting 'permit_mounts_in_userns' module
parameter allows a kind of a user-friendly way to enable the feature.
Testable with:
sudo modprobe overlay permit_mounts_in_userns=1
sudo sysctl -w kernel.unprivileged_userns_clone=1
mkdir -p lower upper work mnt
unshare --map-root-user --mount \
mount -t overlay none mnt \
-o lowerdir=lower,upperdir=upper,workdir=work
[1]: Ubuntu allows unprivileged mounting of overlay filesystem
https://lists.ubuntu.com/archives/kernel-team/2014-February/038091.html
[2]: User namespaces + overlayfs = root privileges
https://lwn.net/Articles/671641/
Signed-off-by: Nicolas Schier <nicolas@fjasle.eu>
Split the rules in d/rules.real so that the [un]versioned_tools
knobs can be used to avoid building them.
This is necessary since the build-dependency were moved to be
conditional on those knobs, so the build fails when the
unversioned tools are set to disabled as libpci-dev is not
installed but the tools are built and fail due to it missing.
Signed-off-by: Luca Boccassi <bluca@debian.org>
This reverts commit 542ffe7fe2.
All drivers built under drivers/net/ethernet are included already
and should not be explicitly listed.
Move the bug closure to the previous log line.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAlv18cwACgkQ57/I7JWG
EQnmrBAA0cIq67bC0g/calV1FyAnByc88h15W2BCN8+dD25PKRlsRsbSvQLx/E6J
mEwPMu6bw/yJuIA8ADTFpjh4CmulBhQMC/cpQHy82F5umt/wNAPlhryDc0n96eRX
bJfh3dzboyFEWBOSUgb6EWEdWZX1tMblf4ZpX1LfP5L/pJyq/Jz1xrpz31nGcz9E
2m4mpovTAT2N34I9FF9PSuaYlPxljU/eZe7wyDmM+leMnmV4MGEOpV+CMNEohLsp
8APxTJim6ZJXJ4ppl/Qk7yW1glTL3q5OqI+s5YB4RBKI4KBN/N3FF0PwWQ+L76bj
B6b3nKT4PZA4V6Y6OEY8Q53NxjHmRJo5opG9Xp3Kr4HO0PZHH9Ih/YApaZipSDLg
t3i/C05I/Jss2e6FZ5Ocx9L/nhzoEv9Lt0K2P6nxMJgc5U7lcTaiehcrVqQ2oBhO
QZoEwUh9G8p5dnll/MTf3nj4UzZOimr2RSpktNT8w4kBEVAFFfZL5hGdk1UmBQTu
peAPksjndtfjWvvzlhnWu3JoFMZ+J5yA8l7t8HwKI5yIlfJaM4QbjOb8YqsZQRNR
qUxXxgn85o7QdSlCX/JFSK5fBxRphZHDtyWt9wTp1Ko0PjNtHLGv2oWj+SdvrJWu
X0otIjqlEMMVCcZDlrzXboU6Cxae9FGXk6yzM5QfE1/D7F4tEuI=
=E5AV
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.20-1'
Release linux (4.18.20-1).
* [rt] Drop all changes from 4.18-rt
* Drop added patches which are already in 4.19
* Drop ABI bump
The default compression for the Debian tarball has been xz since dpkg
1.16.5 (pre-wheezy). lintian now warns about setting the compression
option, even though we don't change the default.
On AMD platforms, some pins are GPIO memory mapped pins and are used to mux some
functionalities by firmware. This fixes a not available Elantech touchpad on
Lenovo IdeaPad 320-15ABR.
4.18.12-1 was never released with the cherry picked patch, and as such
we drop the maintainer stanza entry but add relevant information (e.g.
bug closer or CVE id) to the upstream changelog entry.
hv_{kvp,vss}_daemon used to communicate with the corresponding kernel
drivers over netlink, but now they use char devices. hv_fcopy_daemon
always used a char device. Rather than checking for Hyper-V
specifically, change all of the init scripts and systemd service
definitions to check for the appropriate device nodes.
Delete the check-hyperv program that we used to check for Hyper-V
in init scripts.
CONFIG_DEBUG_INFO and CONFIG_MODULE_SIG are added in gencontrol.py,
so be consistent with that.
This unfortunately requires some ugly escaping of quotes.
Checksumming the whole of debian/changelog when deciding whether to
run gencontrol.py results in (a) frequent changes to control.md5sum
and (b) the need to invoke various targets twice during development.
I originally made this change to address (a), which would be an
annoyance if and when we start using dgit. However, fixing (b) is a
nice benefit regardless of whether we do that.
The rt patch "of: allocate / free phandle cache outside of the
devtree_lock" drops the lock earlier in of_populate_phandle_cache()
and removes the "out" label which is no longer needed.
4.18.10 includes "of: fix phandle cache creation for DTs with no
phandles" which adds another "goto out" inside the locked section.
The previous textual conflict resolution between these changes left
the "goto out" in place, but it needs to be a "return".
SchemaItemBoolean and SchemaItemInteger attempt to raise an exception
of type Error when given invalid input, but this type has never been
defined. Use ValueError instead.
MakeFlags.__repr__ references a "flags" type (probably meant to be
MakeFlags). Gencontrol.write_config references the "file" type which
was removed in Python 3. Clearly neither of these methods are
actually used, so delete them.
- Add explicit imports for all needed modules, rather than indirectly
(accidentally!) importing them with "from ... import *"
- Replace all "from ... import *" statements, which inhibit static
checking, with explicit lists of names to import
- Delete the remaining unneeded imports reported by pyflakes
Fix coding style violations reported by pycodestyle. This is
mostly a matter of reformatting code, particularly to eliminate
over-long lines. I also rename one variable ("l" is considered
visually ambiguous) and change a bare "except" to explicitly
catch all exceptions.
There are three types of error or warning remaining:
- debian/bin/...: E402 module level import not at top of file
Scripts in debian/bin need to modify the import path before
importing from debian/lib/python.
- E127 continuation line over-indented for visual indent
This seems to be a false positive. pycodestyle doesn't seem to be
happy with any level of indent (including 0) on a continuation line
in a "with" statement.
- debian/lib/python/debian_linux/debian.py:15:2: W291 trailing whitespace
This is a false positive. The trailing spaces are in a long
string and are intentional.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAluyLtYACgkQ57/I7JWG
EQkvcBAAl2AxUxQKDRyS4mgohOa881NpHGdwfcxIXyEVIsPVVtUE+Dg5dzGku/J2
C1iA6R8tbOZuxOWQbNkGTFZml3JjfcikH21EGD1aqq5z1PmRudA/XBXdl2aItMUi
lV6HMQcG4GWTjMC/cwrxW5D7rrIqGfp+CCAiACheGbK7mrwAwpioCP3u4JUQm0+F
kGU4znfQbCScXtoegAwRBHB5nUWRbKZMHMe4vNgVl4Na5wTy4dL4Eh3qWulwOzGx
94OiJPsV9thctA6vusqrub5DpABjQveDPJyHt2EgvAt2W8MrE/NUiU+4ol2tTNcT
Ev4P66Jz2bmr3pisx5Cz+3fUXcesrllvWJx5RxPV8f4gCj4/A3zNNz0UdcqcIR/h
ptTMM9fDC8srz6bnKSYWSii3cmnxMVx5OjNztaoeJMFY6M7rn58rW9e53pkVWeJf
eKZ27T7RvNMoGDr99u10ca+zb8qBygxQBQea1rKL49T2Jl/5ROkkPvoQ0SNT5kIe
DL9Z7MDwBI5H5kQW7e9jCiOH65PG/DeVwddko3FeHQy9INxgd6toKiiU0HM4U+8Y
lsUbuAHRHeVsuLQ1U5YTFHrG56CjqYeU10A7UnxRbqvIOd2MTfp/4fAcM4X+15yZ
2Q1MRd/fCXIlRBMGfGRnNMX9327/I+XQ8kamktE5H55JWF+KyeI=
=eMi7
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.10-1'
Release linux (4.18.10-1).
- Drop new patches that are already included upstream
- Keep ABI number set to "trunk"
- Refresh arm64 APEI workaround patch for 4.19
This updates the debian changelog for listing changes of this stable
update. It also removes patches applied upstream and refreshes a patch
that is part of 4.18.7-rt5.
This updates the debian changelog for listing changes of this stable
update. It also removes patches applied upstream and refreshes a patch
that is part of 4.18.7-rt5.
o Enable CONFIG_SCHED_SMT for hyperthreading processors.
o Enable CONFIG_ARM64_LSE_ATOMICS for v8.1 processors.
o Enable a number of ACPI options likely to be available on servers.
o CONFIG_ACPI_APEI selects PSTORE, so remove the arm64 specific setting.
Signed-off-by: Geoff Levand <geoff@infradead.org>
[bwh:
- Drop CONFIG_ACPI_CONFIGFS for now, as I think this the feature
might need to be disabled under Secure Boot and the lockdown
patches don't currently do that
- Drop automatic config symbols
- Note the changes in debian/changelog
]
Geoff Levand wrote:
> Commit ed497f3cb7 (Add server and
> 96boards options) added an arm64 specific CONFIG_ACPI_NFIT=y,
> overriding the default of =m, but the commit message mentions
> nothing about why this was done.
>
> Remove the arm64 specific setting and use the default of module
> build.
Unlike Geoff's patch, this removes the explicit setting for arm64.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAluhDZUACgkQ57/I7JWG
EQkLvQ//QqqAfJXjwZt3Iy+dcYieLqmhy4/KtjVvFP8EKSyfdeWl0awb3szbmMs5
cy2p5q17mafVZTx9MCppp4y1modMBZrMC6hmB9UAoU0j1GnKHNbtddzA3+uo1dmw
i2LudGseb8LSL5z6g95P4SozSNNeFPIOLSYxkGVnlG3sUdlhlRYCvYf9k8BKUEbx
sU0yDXQOhf0kBLsRXW8QfJEBHv5ivr9/Q+s9e71NUpVWaEOZwgfJacM/QWcY8+J4
2o0XlHtS9+r0Ik0RK5Zyt8eun1sH1cb4Lta9LZjvRLWpCqXNpPSus6V8qENngcyw
X9ZGWi3nMiR4OOuEMGMxbzXXzWreg9MNPyM5/kVfJKlsLi1xP7ufhnstR+j2/tTJ
guVLDw73B4RyOwH2p4Kh1Pk0hACagI9AeKfjSBTMMlv2rD6FDfuJlSgEYUIK/NLl
lsefkkKu2EZVdhIBEGDnu80+V2AuoTYXpEknvbnvlYZ1wLNXb73GIFptWu18dfOy
fZ4cEWDxuKd52nbsjKlQmaxlFGSfjmmWliorhrU84FZsRjvFARGWWPwnjk8fwcpD
+D0GASqx37iw1gQK8yNQER3dxHzVh1blIKhADgEWJXsaeHcfyDHziShX7FZ8n6G5
HQBaynaG0Qc9fWd8O6xmX6wsP/vGRFJchbWwa5Gd7L2cCmur1Vk=
=lopf
-----END PGP SIGNATURE-----
Merge tag 'debian/4.18.8-1'
Release linux (4.18.8-1).
- Drop ABI reference files and ABI maintenance patch
- Replace ccp driver patch with upstream version that applies to 4.19
I failed to notice that ppc64 had a symlink to powerpc's package-list
which overrode the dependencies for nic-pcmcia-modules. For now,
duplicate that override for ppc64. In the longer term the powerpc*
net driver packages should be reorganised to match other
architectures.
Fixes FTBFS.
- Add some architecture qualifications
- Remove architecture qualifications for ACPICA changes, since ACPI
is also used on ia64
- Remove lines for some components we don't build
This enables USB power delivery controller that is found on some
ThinkPad laptops, like the ThinkPad L380. This solves the following
error in i2c_hid:
[ 1.917100] i2c_hid i2c-INT3515:02: unexpected HID descriptor bcdVersion (0x0000)
This has the effect to use a dummy_regulator by default (no support is
found for INT3515, so vdd cannot be found) and disable pm_runtime during
probe.
The scripts in question are maintainer scripts in a source package
(that happens to be inside a binary package) and shouldn't be
executable until they are installed into a new binary package.
The Debian signing service won't pay any attention to this, but it
sort of makes sense - you won't be able to build a source package
without dpkg-dev.
Fixes lintian error missing-dep-for-interpreter.
Currently we don't set all the architecture variables, so direct use
of these makefiles (not under dpkg-architecture or dpkg-buildpackage)
may fail.
In case ARCH and DEB_HOST_ARCH don't match in rules.real, we really
should fail, so add an explicit check for that.
This also fixes lintian warning
debian-rules-sets-dpkg-architecture-variable.
uscan now does the file removals, which makes the hook script
redundant. Not only that, but the orig tarball passed to the hook is
no longer a symlink to the upstream filename, so genorig.py doesn't
recognise the filename and fails.
Since the linux-headers-common package was changed to be
architecture-independent, it won't include any binNMU changelog
fragment that should be installed for a per-flavour linux-headers
package.
Fixes lintian warning patch-file-present-but-not-mentioned-in-series.
Also preparation for using dgit, which will remove everything except
the main patch series under debian/patches.
Rename them to genpatch-{aufs,lockdown,rt}
Fixes lintian warning patch-file-present-but-not-mentioned-in-series.
Also preparation for using dgit, which will remove everything except
the main patch series under debian/patches.