[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firmware-nonfree update

Hi Ben, thanks for the review.

On 05/03/2019 23:00, Ben Hutchings wrote:
> On Fri, 2019-03-01 at 14:05 +0100, Emilio Pozuelo Monfort wrote:
>> Hi Ben,
>> I have prepared an update for CVE-2018-5383/firmware-nonfree by backporting the
>> fixed firmware from the upstream repo that I could find. See my two commits in:
>> https://salsa.debian.org/pochu/firmware-nonfree/commits/jessie-security
>> I built the packages and compared one of the non-affected packages (qlogic) and
>> only the changelog has changed. Comparing atheros, the two drivers are updated,
>> and for intel some of the files are updated. However I see that for intel there
>> are some drivers that we don't ship in that version of firmware-nonfree, e.g.
>> ibt-{17,18}-*. For those, I wonder if we should update and ship them. If there's
>> any user with that hardware, they would need a firmware update I suppose.
> firmware-nonfree is meant to support the kernel version(s) shipped in
> the same suite, in the previous release, or in intermediate versions. 
> So for jessie that's 3.2-4.9 inclusive.  If one of those kernel
> versions may request the added files then they should be packaged. 
> Otherwise it's not necessary - users installing a newer kernel package
> from another suite can get the firmware packages from there too.

Right, makes sense. I suppose that since the Intel ibt-{17,18}-* firmware is not
present in the stretch package, that we shouldn't add it here. So I limited this
to updating the firmware that was already present.

>> (It
>> may be unlikely for old suites to have users with new hardware, however it's
>> possible and users that don't have it will be unaffected by the new firmware, so
>> it wouldn't hurt to ship it.)
>> My branch is for jessie but I can prepare it for stretch too if you think that's
>> worth it.
> The current jessie-security version of firmware-nonfree is really a
> backport from stretch.  So I would prefer it if you update the stretch
> branch first and then merge that to jessie-security.

Ack. I updated stretch here:


and created a MR:


If this looks fine I'd be happy to submit a pu bug for stable, and I'll also
look into an update for jessie.


Reply to: