Re: firmware-nonfree update

To: Ben Hutchings <ben@decadent.org.uk>, Debian LTS <debian-lts@lists.debian.org>, Debian kernel maintainers <debian-kernel@lists.debian.org>
Subject: Re: firmware-nonfree update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed, 13 Mar 2019 14:36:39 +0100
Message-id: <[🔎] 0f556b97-6a73-a1ab-664b-aff8f610acdf@debian.org>
In-reply-to: <[🔎] 267a9734d81b81da69317393f2c04ab8beef26ed.camel@decadent.org.uk>
References: <[🔎] 1b01dab1-1824-e254-13bc-8979afaa8a9b@debian.org> <[🔎] 267a9734d81b81da69317393f2c04ab8beef26ed.camel@decadent.org.uk>

Hi Ben, thanks for the review.

On 05/03/2019 23:00, Ben Hutchings wrote:
> On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote:
>> Hi Ben,
>>
>> I have prepared an update for CVE-2018-5383/firmware-nonfree by backporting the
>> fixed firmware from the upstream repo that I could find. See my two commits in:
>>
>> https://salsa.debian.org/pochu/firmware-nonfree/commits/jessie-security
>>
>> I built the packages and compared one of the non-affected packages (qlogic) and
>> only the changelog has changed. Comparing atheros, the two drivers are updated,
>> and for intel some of the files are updated. However I see that for intel there
>> are some drivers that we don't ship in that version of firmware-nonfree, e.g.
>> ibt-{17,18}-*. For those, I wonder if we should update and ship them. If there's
>> any user with that hardware, they would need a firmware update I suppose.
> 
> firmware-nonfree is meant to support the kernel version(s) shipped in
> the same suite, in the previous release, or in intermediate versions. 
> So for jessie that's 3.2-4.9 inclusive.  If one of those kernel
> versions may request the added files then they should be packaged. 
> Otherwise it's not necessary - users installing a newer kernel package
> from another suite can get the firmware packages from there too.

Right, makes sense. I suppose that since the Intel ibt-{17,18}-* firmware is not
present in the stretch package, that we shouldn't add it here. So I limited this
to updating the firmware that was already present.

>> (It
>> may be unlikely for old suites to have users with new hardware, however it's
>> possible and users that don't have it will be unaffected by the new firmware, so
>> it wouldn't hurt to ship it.)
>>
>> My branch is for jessie but I can prepare it for stretch too if you think that's
>> worth it.
> 
> The current jessie-security version of firmware-nonfree is really a
> backport from stretch.  So I would prefer it if you update the stretch
> branch first and then merge that to jessie-security.

Ack. I updated stretch here:

https://salsa.debian.org/pochu/firmware-nonfree/commits/stretch

and created a MR:

https://salsa.debian.org/kernel-team/firmware-nonfree/merge_requests/6

If this looks fine I'd be happy to submit a pu bug for stable, and I'll also
look into an update for jessie.

Cheers,
Emilio

Reply to:

References:
- firmware-nonfree update
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: firmware-nonfree update
  - From: Ben Hutchings <ben@decadent.org.uk>

Prev by Date: Processing of linux_5.0.1-1~exp1_multi.changes
Next by Date: Bug#924489: linux-image-4.19.0-1-amd64: OS freeze on a Lenovo Thinkpad A485
Previous by thread: Re: firmware-nonfree update
Next by thread: Re: firmware-nonfree update
Index(es):
- Date
- Thread