[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: xen debdiff

On Tue, 03 May 2016, Brian May wrote:
> He had some concerns with using the Ubuntu version like this. In
> particular Ubuntu does some things differently with respect to init.d
> scripts, has a different changelog, and there are some changes other
> changes here that may not be security related.

Just to be more specific, if you look up the Ubuntu changelog, you will
see that the Ubuntu version is based on Debian's 4.1.1-3 while the wheezy
package is at 4.1.4-3. So all the Debian packaging changes between those
two versions are actually reverted by the switch to the Ubuntu package.

So I believe that you should start from the Debian package, switch to the
new upstream version and possibly rely on the Ubuntu package to update
the set of patches to fix all security issues that do apply on this
new upstream version.

Here are some of the important changes that are reverted by your

-xen (4.1.3~rc1+hg-20120614.a9c0a89c08f2-3) unstable; urgency=low
-  * Remove /usr/lib/xen-default. It breaks systems if xenstored is not
-    compatible.

-xen (4.1.2-7) unstable; urgency=low
-  * Really use ucf.
-  * Update init script dependencies:
-    - Start $syslog before xen.
-    - Start drbd and iscsi before xendomains. (closes: #626356)
-    - Start corosync and heartbeat after xendomains.
-  * Remove /var/log/xen on purge. (closes: #656216)

-xen (4.1.2-6) unstable; urgency=low
-  * Fix generation of architectures for hypervisor packages.
-  * Remove information about loop devices, it is incorrect. (closes: #503044)
-  * Update xendomains init script:
-    - Create directory for domain images only root readable. (closes: #596048)
-    - Add missing sanity checks for variables. (closes: #671750)
-    - Remove not longer supported config options.
-    - Don't fail if no config is available.
-    - Remove extra output if domain was restored.

-xen (4.1.2-5) unstable; urgency=low
-  * Actually force init script rename. (closes: #669341)
-  * Rewrite xendomains init script:
-    - Use LSB output functions.
-    - Make output more clear.
-    - Use xen toolstack wrapper.
-    - Use a python script to properly read domain details.

-xen (4.1.2-4) unstable; urgency=low
-  [ Bastian Blank ]
-  * Build-depend on ipxe-qemu instead of ipxe. (closes: #665070)
-  * Don't longer use a4wide latex package.
-  * Use ucf for /etc/default/xen.
-  * Remove handling for old udev rules link and xenstored directory.
-  * Rename xend init script to xen.

-xen (4.1.2-3) unstable; urgency=low
-  * Merge xen-common source package.
-  * Remove xend wrapper, it should not be called by users.
-  * Support xl in init script.
-  * Restart xen daemons on upgrade.
-  * Restart and stop xenconsoled in init script.
-  * Load xen-gntdev module.
-  * Create /var/lib/xen. (closes: #658101)
-  * Cleanup udev rules. (closes: #657745)

> As a result it might be better to continue my previous efforts of
> porting the security fixes to the version of Xen in Debian wheezy.
> On the other hand the version in Ubuntu is tried and tested and possibly
> less risk of me breaking something.
> Or I could just leave xen for now and let somebody more experienced with
> Xen take over.

I don't think that any Xen experience makes a big difference here as
the problem I pointed out are in the packaging and not in the upstream
source code. I still believe that we should update to the latest 4.1.x

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to: