[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Hi Holger, hi Wolfgang,

On  Fr 16 Aug 2019 21:43:05 CEST, Holger Levsen wrote:


Hi Mike,
On Fri, Aug 16, 2019 at 05:43:42PM +0000, mike.gabriel@das-netzwerkteam.de wrote:
I can do that after the weekend. I have put in in my calendar for Monday morning. 

great, thank you!
I have put together a buster branch for debian-edu-config. At the end of this mail find a .diff between buster..master.
I wasn't sure about the D-I / entropy related changes between 2.10.65 and 2.10.67 and if they were actually being targetted for the buster-pu or just for stable. 

Please let me know, if "those" entropy commits need to get included or not.
Once we have agreed on a package version to upload to buster, I will compose the buster srm bug report for it. 

Please give feedback. Thanks!

Mike

```
[mike@minobo d-e-c (buster)]$ git diff buster..master | cat
diff --git a/debian/changelog b/debian/changelog
index b78cc1b7..c4c58cf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,59 +1,14 @@
-debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium
+debian-edu-config (2.10.67) unstable; urgency=medium

   [ Wolfgang Schweer ]
- * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) - - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure 
-      that all DHCP server information is getting through to LTSP clients.
-      (LTSP used this option before, but switched to 'ipappend 3' during the
-      Buster development cycle to ease setups with ProxyDHCP.)
-  * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
-    - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
-  * Set environment variable to deal with Firefox profile. (Closes: #930122)
- This is a workaround for bug #930125, preventing firefox-esr startup issues 
-    if the mozilla profile is on an NFS share).
- - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" 
-      as content. Thanks to Mike Gabriel for spotting the issue and providing
-      this information.
- - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file 
-      to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
-  * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
-    - While the reported arch is i686, LTSP uses i386. Set arch accordingly.
-  * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
-    - Remove outdated (and now wrong) logging section.
-  * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
-    - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
- to changed behaviour of the ifupdown/dhclient/systemd combination and now - also causes the loss of a dynamically allocated ipv4 IP address after 20 
-      to 30 minutes after booting.
-    - Add code to d/debian-edu-config.postinstall to implement the intended
-      hostname update just after rebooting the system after a change.
-    - Adjust Makefile.
-  * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
- - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the 
-      rootCA file to the web server directory at certificate generation time.
-    - Adjust cf3/cf.finalize to care for the rootCA file as well.
-    - Adjust cf3/cf.workarounds to copy the rootCA file to the web server
-      directory upon main server upgrade.
- * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) 
-    - etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
-    - cf3/edu.cf: Define new class 'ltspimages'.
- - cf3/cf.finalize: Add code to include the LDAP server certificate for all 
-      possible use cases, to generate the image and to adjust various rights.
-  * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67).
+  * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
- Use independent conditions to make sure that the LDAP server certificate - is only downloaded once for both host and LTSP chroot. (Closes: #934380) 
+      is only downloaded once for both host and LTSP chroot.
     - Add code to validate the LDAP server certificate in case the Debian Edu
       RootCA certificate is available for download.

   [ Mike Gabriel ]
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66):
-    - Make the script (and with it Debian Edu buster workstations) work in a
- Debian Edu environment where the main server (TJENER) is still on Debian 
-      Edu 8 or 9. (Closes: #926933)
-    - Retrieve TJENER's PKI server certificate only once per host to improve
- security. This re-introduces the behaviour of fetch-ldap-cert in stretch 
-      and earlier. (Closes: #931413).
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67):
+  * Code review debian-edu-config.fetch-ldap-cert:
     - White-space-only change: Fix broken and inconsistent indentations.
     - Fully inline-document fetch-ldap-cert script.
     - Add "-f" option to all curl calls that don't have it set so far.
@@ -80,7 +35,64 @@ debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium 
     - Do a simple validity check if a directory under /opt/ltsp really is
       a chroot (and e.g. not the SquashFS images' directory).

- -- Petter Reinholdtsen <pere@debian.org>  Sat, 20 Apr 2019 07:53:26 +0200
+ -- Holger Levsen <holger@debian.org>  Thu, 15 Aug 2019 16:20:50 +0200
+
+debian-edu-config (2.10.66) unstable; urgency=medium
+
+  [ Wolfgang Schweer ]
+ * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes: #928756) + - Use PXE option 'ipappend 2' for LTSP client boot. This option makes sure 
+      that all DHCP server information is getting through to LTSP clients.
+      (LTSP used this option before, but switched to 'ipappend 3' during the
+      Buster development cycle to ease setups with ProxyDHCP.)
+  * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
+    - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
+  * Set environment variable to deal with Firefox profile. (Closes: #930122)
+ This is a workaround for bug #930125, preventing firefox-esr startup issues 
+    if the mozilla profile is on an NFS share).
+ - Ship share/debian-edu-config/edu-firefox-nfs with NSS_SDB_USE_CACHE="yes" 
+      as content. Thanks to Mike Gabriel for spotting the issue and providing
+      this information.
+ - Add instructions to cf3/cf.workarounds to link the 'edu-firefox-nfs' file 
+      to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
+  * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
+    - While the reported arch is i686, LTSP uses i386. Set arch accordingly.
+  * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
+    - Remove outdated (and now wrong) logging section.
+ * Add LDAP server certificate to the initial LTSP NBD image. (Closes: #932828) 
+    - etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
+    - cf3/edu.cf: Define new class 'ltspimages'.
+ - cf3/cf.finalize: Add code to include the LDAP server certificate for all 
+      possible use cases, to generate the image and to adjust various rights.
+  * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
+ - Adjust share/debian-edu-config/tools/create-debian-edu-certs to copy the 
+      rootCA file to the web server directory at certificate generation time.
+    - Adjust cf3/cf.finalize to care for the rootCA file as well.
+    - Adjust cf3/cf.workarounds to copy the rootCA file to the web server
+      directory upon main server upgrade.
+  * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
+    - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
+ to changed behaviour of the ifupdown/dhclient/systemd combination and now + also causes the loss of a dynamically allocated ipv4 IP address after 20 
+      to 30 minutes after booting.
+    - Add code to d/debian-edu-config.postinstall to implement the intended
+      hostname update just after rebooting the system after a change.
+    - Adjust Makefile.
+
+  [ Mike Gabriel ]
+  * debian/debian-edu-config.fetch-ldap-cert: Make the script (and with it
+    Debian Edu buster workstations) work in a Debian Edu environment where
+    the main server (TJENER) is still on Debian Edu 8 or 9. (Closes: #926933)
+  * debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server
+    certificate only once per host to improve security. This re-introduces
+ the behaviour of fetch-ldap-cert in stretch and earlier. (Closes: #931413). 
+
+  [ Holger Levsen ]
+  * Drop obsolete code in d-i/finish-install now that d-i uses haveged (via a
+    newly introduced udeb) or a hardware RNG. (See #923675).
+  * Bump standards version to 4.4.0, no changes needed.
+
+ -- Holger Levsen <holger@debian.org>  Sat, 10 Aug 2019 11:41:47 +0200

 debian-edu-config (2.10.65) unstable; urgency=medium

diff --git a/debian/control b/debian/control
index d1e88c94..1ec1999b 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Uploaders: Petter Reinholdtsen <pere@debian.org>,
            Mike Gabriel <sunweaver@debian.org>,
            Wolfgang Schweer <wschweer@arcor.de>,
            Dominik George <natureshadow@debian.org>,
-Standards-Version: 4.3.0
+Standards-Version: 4.4.0
 Rules-Requires-Root: no
 Build-Depends: debhelper-compat (= 11)
 Build-Depends-Indep: po-debconf,
diff --git a/share/debian-edu-config/d-i/finish-install b/share/debian-edu-config/d-i/finish-install 
index 3422ecdd..973c3dc3 100644
--- a/share/debian-edu-config/d-i/finish-install
+++ b/share/debian-edu-config/d-i/finish-install
@@ -37,30 +37,6 @@ PROFILE="$RET"
 # easier to track our changes
 edu-etcvcs commit

-# Try to add entropy when running low
-(
-   cd /
-   while true ; do
-       entropy="$(cat /proc/sys/kernel/random/entropy_avail)"
-       if [ 130 -gt "$entropy" ] ; then
-           log "low on entropy, pool is $entropy. trying to add more"
-           # Disk IO add entropy to the kernel.  Flush cache to ensure
-           # find and touch/rm causes disk IO.
-           sync
-           echo 3 > /proc/sys/vm/drop_caches
-           find /target > /dev/null || true
-           touch /target/var/tmp/foo
-           sync
-           rm /target/var/tmp/foo
-           sync
-           entropy="$(cat /proc/sys/kernel/random/entropy_avail)"
-           log "entropy pool is $entropy after trying to add"
-       fi
-       sleep 20
-   done
-) < /dev/null 2>&1 3>/dev/null 4>&3 5>&3 6>&3 | logger -t edu-entropy-add &
-epid=$!
-
 # Make the installation look more like a finished system, to make sure
 # debconf-get-selections --installer work.
 . /usr/lib/finish-install.d/94save-logs
@@ -110,13 +86,6 @@ db_set debian-edu-config/kdc-password '' || true
 db_set debian-edu-config/kdc-password-again '' || true
 log "info: Ensuring KDC and LDAP passwords are cleared from debconf database"

-# Ignore errors in case the entropy gathering is no longer running
-if kill $epid ; then
-    :
-else
-    log "error: killing the entropy gathering job failed - exited?"
-fi
-
 echo "info: processes using mount point below /target"
mountpoints="$(grep " /target" /proc/mounts | cut -d" " -f2 | sed s%/target%%g)" 
 LANG=C chroot /target fuser -mv $mountpoints 2>&1 | sed 's/^/info: /'

```
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpZEblgoCg4Y.pgp
Description: Digitale PGP-Signatur

Reply to: