debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Debian FTP Masters


Accepted:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 15 Aug 2019 16:20:50 +0200
Source: debian-edu-config
Architecture: source
Version: 2.10.67
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <[hidden email]>
Changed-By: Holger Levsen <[hidden email]>
Closes: 934380
Changes:
 debian-edu-config (2.10.67) unstable; urgency=medium
 .
   [ Wolfgang Schweer ]
   * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
     - Use independent conditions to make sure that the LDAP server certificate
       is only downloaded once for both host and LTSP chroot.
     - Add code to validate the LDAP server certificate in case the Debian Edu
       RootCA certificate is available for download.
 .
   [ Mike Gabriel ]
   * Code review debian-edu-config.fetch-ldap-cert:
     - White-space-only change: Fix broken and inconsistent indentations.
     - Fully inline-document fetch-ldap-cert script.
     - Add "-f" option to all curl calls that don't have it set so far.
       This assures that curl bails out with a non-zero exit code, if anything
       goes wrong while retrieving certificate files.
     - Also report a successful certificate verification if we verified the
       LDAP server certificate using the Debian Edu RootCA.
     - Really check that the LDAP server uses a certificate issued by the
       "Debian Edu RootCA", not just by (some) "RootCA".
     - Add 2x FIXME about BUNDLECRT file removal from host and from LTSP chroots.
     - LTSP chroot certificate copying: only log those actions, if they are
       actually about to happen..
     - Silence curl stderr and gnutls-cli stdout+stderr.
     - Certificate retrieval: Fix upgrade path for RootCA deployment. Re-run
       CERTFILE (and ROOTCACRT retrieval) until we have both on the client.
       This will lead to repetitive downloads of the CERTFILE on system boot.
       To get rid of this, people must upgrade their TJENERs from Debian Edu
       10.0 to 10.1. Then it will stop. This hack is necessary to assure
       distribution of the RootCA to all clients that don't have it, yet.
     - Detach dependency of ROOTCACRT chroot copying and BUNDLECRT chroot
       copying from chroot copying of the CERTFILE. The chroot may have the
       CERTFILE, but not the ROOTCACRT, yet. This assures a smooth upgrade
       path from Debian Edu 10.0 to Debian Edu 10.1.
     - Do a simple validity check if a directory under /opt/ltsp really is
       a chroot (and e.g. not the SquashFS images' directory).
Checksums-Sha1:
 3bd8da91b4e9c3dbdf61e357dcd12b0516398229 1918 debian-edu-config_2.10.67.dsc
 a54a2cfe07829975ee8a258e0afd44dbc9987531 344664 debian-edu-config_2.10.67.tar.xz
 87e735f6f2a8996b3852873742505b4e7515de69 5276 debian-edu-config_2.10.67_source.buildinfo
Checksums-Sha256:
 3b45bbe47a91000f13d4420d98a047f46b41e4b2758aa58b8bfe9235ddd94d41 1918 debian-edu-config_2.10.67.dsc
 7fd13aeeae687972269ad4a60dba3bb4671cd12d5e519965432d1774af28c76e 344664 debian-edu-config_2.10.67.tar.xz
 8df1a4f64d14c95622890593615d0675168ebd0c5590221940a6c820fc47b18b 5276 debian-edu-config_2.10.67_source.buildinfo
Files:
 a842b5853927c469bee3ce05a7878108 1918 misc optional debian-edu-config_2.10.67.dsc
 eed77fc54f4b09e828205c5a336ba81c 344664 misc optional debian-edu-config_2.10.67.tar.xz
 376de7c334d73b18d454c847e2de0acd 5276 misc optional debian-edu-config_2.10.67_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl1VaooACgkQCRq4Vgaa
qhwnfQ/9Hw8QTdPD2t/qa3Af00eXx93Lxmtd2Fin6cMfMPkJxAaxZuGPS/eCp7Da
kedNOU2zrERFZfCIARyj2qRuGhqKFA6PQUWGdEcSVX/+wj9OACNpQSwYnwrLVkGo
hIIhZ7soNLYoLU78x4ouZ+LD5x7aVh3sy/7DJqQN4utdiwi/VHPMQl7g8mQefbEW
w0DeeM0wp+rAabb+2Rr1P1Fo25pC5M7daet+GFniM/c2wRZ6A1KalTYyJKt7J4n3
bS9kmEmrjcYNtun8O3O6h15Asd762N7hYsMDiBMmy5zgyLW+27hToLAJg74VYnwu
nL0mLRUykZcdyguAtLd0A8VZew/HEOrb9oQRBB+Fp0yntFxyUvAWd7UEvUjUtQjf
NVjvMIEOd2A3yjri1SiuGUyTZkphmbYAeE3spB1/9AvtWGOV3lLTL3I5/F8VcGDW
IvWbMvOojOy6Ulm7d2j28z2wTg7ECM4LWxFFkwuvDHc1a3fVEA5fNOw3k8IfABPZ
QZhoLOJTcDgdz0dHPMpf2Qw1eoNhYL5Xidg+cwIgDS8OZyPKxgwsWgAls9mvgXwd
KYOHVjLJ7yr1cQrYEt+JN1NAdWlisox36+KYbkKFMGnMDrR2leYtJEqN/ICh+kDM
mBYwyHuOSfnTbXefykmncbcEppulNs/N6vhqMwZRirgq7CsRo0A=
=QqbT
-----END PGP SIGNATURE-----


Thank you for your contribution to Debian.

Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Holger Levsen-2
Hi,

On Thu, Aug 15, 2019 at 02:38:33PM +0000, Debian FTP Masters wrote:
> Source: debian-edu-config
> Version: 2.10.67
[...]
>    debian-edu-config.fetch-ldap-cert:
>      - Fully inline-document fetch-ldap-cert script.

this is really great

>      - White-space-only change: Fix broken and inconsistent indentations.
 
looking at the debdiff between in whats in stable and this it seems this
is mostly not visible because its basically/almost a rewrite anyway:

$ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat
 Makefile                                                             |    2
 cf3/cf.finalize                                                      |   52 +
 cf3/cf.homes                                                         |    2
 cf3/cf.workarounds                                                   |   16
 cf3/edu.cf                                                           |    1
 debian/changelog                                                     |   96 +++
 debian/control                                                       |    2
 debian/debian-edu-config.fetch-ldap-cert                             |  283 ++++++++--
 debian/debian-edu-config.postinst                                    |   14
 etc/ltsp/ltsp-build-client.conf                                      |    2
 etc/network/if-up.d/hostname                                         |   43 -
 share/debian-edu-config/d-i/finish-install                           |   31 -
 share/debian-edu-config/edu-firefox-nfs                              |    1
 share/debian-edu-config/sudo-ldap.conf                               |    1
 share/debian-edu-config/tools/create-debian-edu-certs                |    2
 share/debian-edu-config/tools/kerberos-kdc-init                      |    5
 share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |    4
 17 files changed, 418 insertions(+), 139 deletions(-)

(so maybe it would have been wiser not to mention the white-space only changes,
as the release team really dislikes them.)\

however/anyway, I'm not sure we can get this past the release team for the stable point
release. we might. we think all these changes are useful/needed for stable, right?

would someone else (Mike?) be willing to file a SRM bug for debian-edu-config_2.10.65~deb10u1?


--
cheers,
        Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Wolfgang Schweer-3
On Thu, Aug 15, 2019 at 03:54:54PM +0000, Holger Levsen wrote:

> On Thu, Aug 15, 2019 at 02:38:33PM +0000, Debian FTP Masters wrote:
> > Source: debian-edu-config
> > Version: 2.10.67
> [...]
> >    debian-edu-config.fetch-ldap-cert:
> >      - Fully inline-document fetch-ldap-cert script.
>
> this is really great
>
> >      - White-space-only change: Fix broken and inconsistent indentations.
>  
> looking at the debdiff between in whats in stable and this it seems this
> is mostly not visible because its basically/almost a rewrite anyway:
>
> $ debdiff debian-edu-config_2.10.65.dsc debian-edu-config_2.10.67.dsc|diffstat
>  Makefile                                                             |    2
>  cf3/cf.finalize                                                      |   52 +
>  cf3/cf.homes                                                         |    2
>  cf3/cf.workarounds                                                   |   16
>  cf3/edu.cf                                                           |    1
>  debian/changelog                                                     |   96 +++
>  debian/control                                                       |    2
>  debian/debian-edu-config.fetch-ldap-cert                             |  283 ++++++++--
>  debian/debian-edu-config.postinst                                    |   14
>  etc/ltsp/ltsp-build-client.conf                                      |    2
>  etc/network/if-up.d/hostname                                         |   43 -
>  share/debian-edu-config/d-i/finish-install                           |   31 -
>  share/debian-edu-config/edu-firefox-nfs                              |    1
>  share/debian-edu-config/sudo-ldap.conf                               |    1
>  share/debian-edu-config/tools/create-debian-edu-certs                |    2
>  share/debian-edu-config/tools/kerberos-kdc-init                      |    5
>  share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |    4
>  17 files changed, 418 insertions(+), 139 deletions(-)
>
> (so maybe it would have been wiser not to mention the white-space only changes,
> as the release team really dislikes them.)\
>

> however/anyway, I'm not sure we can get this past the release team for
> the stable point release. we might. we think all these changes are
> useful/needed for stable, right?

Useful, yes; but IMO we could get along for Buster without the
fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the
stable release team dislikes these.

Among improved checks for a lot of possible failures, the rewrite has
the benefit of validating the LDAP server certificate against the Debian
Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against
the bundle-crt certificate). Both are downloaded from www.intern, as
opposed to the LDAP server cert that is fetched from the LDAP server
itself. The bundle certificate contains the Debian Edu rootCA
certificate and the multipurpose server certificate (as a chain). This
server certificate is used for all configured Debian Edu server
services, included the LDAP service. While using the single Debian Edu
rootCA certificate for validation is the better way to go, the bundle
certificate can be used as well.

Another improvement of the fetch-ldap-cert script shipped with d-e-c
2.10.67 is the use of independent conditions for host and LTSP chroot
(instead of the global condition introduced with commit f8f436e); but
then the drawback caused by this change for LTSP chroots has also been
dealt with via d-e-c 2.10.66 fixes.

Mike, please comment.

Wolfgang

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

mike.gabriel
Hi Wolfgang, hi Holger,

On  Fr 16 Aug 2019 11:41:56 CEST, Wolfgang Schweer wrote:

> On Thu, Aug 15, 2019 at 03:54:54PM +0000, Holger Levsen wrote:
>> On Thu, Aug 15, 2019 at 02:38:33PM +0000, Debian FTP Masters wrote:
>> > Source: debian-edu-config
>> > Version: 2.10.67
>> [...]
>> >    debian-edu-config.fetch-ldap-cert:
>> >      - Fully inline-document fetch-ldap-cert script.
>>
>> this is really great
>>
>> >      - White-space-only change: Fix broken and inconsistent indentations.
>>
>> looking at the debdiff between in whats in stable and this it seems this
>> is mostly not visible because its basically/almost a rewrite anyway:
>>
>> $ debdiff debian-edu-config_2.10.65.dsc  
>> debian-edu-config_2.10.67.dsc|diffstat
>>  Makefile                                                             |    2
>>  cf3/cf.finalize                                                    
>>   |   52 +
>>  cf3/cf.homes                                                         |    2
>>  cf3/cf.workarounds                                                   |   16
>>  cf3/edu.cf                                                           |    1
>>  debian/changelog                                                    
>>   |   96 +++
>>  debian/control                                                       |    2
>>  debian/debian-edu-config.fetch-ldap-cert                            
>>   |  283 ++++++++--
>>  debian/debian-edu-config.postinst                                    |   14
>>  etc/ltsp/ltsp-build-client.conf                                      |    2
>>  etc/network/if-up.d/hostname                                        
>>   |   43 -
>>  share/debian-edu-config/d-i/finish-install                          
>>   |   31 -
>>  share/debian-edu-config/edu-firefox-nfs                              |    1
>>  share/debian-edu-config/sudo-ldap.conf                               |    1
>>  share/debian-edu-config/tools/create-debian-edu-certs                |    2
>>  share/debian-edu-config/tools/kerberos-kdc-init                      |    5
>>  share/ltsp/plugins/ltsp-build-client/Debian-custom/001-ltsp-settings |    4
>>  17 files changed, 418 insertions(+), 139 deletions(-)
>>
>> (so maybe it would have been wiser not to mention the white-space  
>> only changes,
>> as the release team really dislikes them.)\
>>
>
>> however/anyway, I'm not sure we can get this past the release team for
>> the stable point release. we might. we think all these changes are
>> useful/needed for stable, right?
>
> Useful, yes; but IMO we could get along for Buster without the
> fetch-ldap-cert related changes introduced in d-e-c 2.10.67 in case the
> stable release team dislikes these.
Disagreeing here.

The fetch-ldap-cert changes are security related and get things right  
about the rootCA handling in Debian Edu buster.

The white-space changes are awkward to review, but the readability of  
the script is much better now (as indentation is now correct + all the  
comments).

(And: we, that is Holger, have/has got other d-e-c changes into a  
stable-pu, as we don't affect other software packages).

> Among improved checks for a lot of possible failures, the rewrite has
> the benefit of validating the LDAP server certificate against the Debian
> Edu rootCA one (the version shipped with d-e-c 2.10.66 did this against
> the bundle-crt certificate). Both are downloaded from www.intern, as
> opposed to the LDAP server cert that is fetched from the LDAP server
> itself. The bundle certificate contains the Debian Edu rootCA
> certificate and the multipurpose server certificate (as a chain). This
> server certificate is used for all configured Debian Edu server
> services, included the LDAP service. While using the single Debian Edu
> rootCA certificate for validation is the better way to go, the bundle
> certificate can be used as well.
Yes. Thanks for pointing this out!!! It is the much better / cleaner /  
expected-by-admins approach.

> Another improvement of the fetch-ldap-cert script shipped with d-e-c
> 2.10.67 is the use of independent conditions for host and LTSP chroot
> (instead of the global condition introduced with commit f8f436e); but
> then the drawback caused by this change for LTSP chroots has also been
> dealt with via d-e-c 2.10.66 fixes.
>
> Mike, please comment.

Futhermore, we now entirely fixed backwards compatibility (new Debian  
Edu clients running against old Debian Edu TJENERs). This was the main  
flaw of the original Debian 10.0 implementation. You can't use Debian  
Edu 10 clients on a network running on a TJENER from 9.x or 8.x.
While investigating this, Petter pointed us to the security flaw of  
always updating the LDAP server certificate on clients. Only deploying  
the LDAP server cert once protects the user against password sniffing,  
if someone malign takes over the network.

Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it  
now is easy to read,
Mike

--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Wolfgang Schweer-3
Hi Mike,

thanks for the fast reply.

On Fri, Aug 16, 2019 at 10:10:27AM +0000, Mike Gabriel wrote:

> > Another improvement of the fetch-ldap-cert script shipped with d-e-c
> > 2.10.67 is the use of independent conditions for host and LTSP chroot
> > (instead of the global condition introduced with commit f8f436e); but
> > then the drawback caused by this change for LTSP chroots has also been
> > dealt with via d-e-c 2.10.66 fixes.
> >
> > Mike, please comment.
>
> Futhermore, we now entirely fixed backwards compatibility (new Debian Edu
> clients running against old Debian Edu TJENERs). This was the main flaw of
> the original Debian 10.0 implementation. You can't use Debian Edu 10 clients
> on a network running on a TJENER from 9.x or 8.x.
> While investigating this, Petter pointed us to the security flaw of always
> updating the LDAP server certificate on clients. Only deploying the LDAP
> server cert once protects the user against password sniffing, if someone
> malign takes over the network.
Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if
the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a
fallback option.

> Thus, fetch-ldap-cert must get into buster IMHO, it's a rewrite and it now
> is easy to read,

Sure, you improved it quite a lot :)

Wolfgang

signature.asc (981 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Holger Levsen-2
On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote:
> Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if
> the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a
> fallback option.

right. so back to my original question:

however/anyway, I'm not sure we can get this past the release team for the
stable point release. we might.

would someone else (Mike?) be willing to file a SRM bug for
debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???)


--
cheers,
        Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

mike.gabriel
Hi Holger,

Am Freitag, 16. August 2019 schrieb Holger Levsen:

> On Fri, Aug 16, 2019 at 12:25:49PM +0200, Wolfgang Schweer wrote:
> > Sure, but this has already been fixed (somehow) in d-e-c 2.10.66. So if
> > the stable release team disagrees w/ 2.10.67, d-e-c 2.10.66 might be a
> > fallback option.
>
> right. so back to my original question:
>
> however/anyway, I'm not sure we can get this past the release team for the
> stable point release. we might.
>
> would someone else (Mike?) be willing to file a SRM bug for
> debian-edu-config_2.10.65+deb10u1? (or 2.10.66~ or 2.10.67~???)
>
>
> --
> cheers,
> Holger
>

I can do that after the weekend. I have put in in my calendar for Monday morning.

Mike

--
Gesendet von meinem Fairphone2 (powered by Sailfish OS).
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Holger Levsen-2
Hi Mike,

On Fri, Aug 16, 2019 at 05:43:42PM +0000, [hidden email] wrote:
> I can do that after the weekend. I have put in in my calendar for Monday morning.

great, thank you!


--
cheers,
        Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

mike.gabriel
Hi Holger, hi Wolfgang,

On  Fr 16 Aug 2019 21:43:05 CEST, Holger Levsen wrote:

> Hi Mike,
>
> On Fri, Aug 16, 2019 at 05:43:42PM +0000,  
> [hidden email] wrote:
>> I can do that after the weekend. I have put in in my calendar for  
>> Monday morning.
>
> great, thank you!

I have put together a buster branch for debian-edu-config. At the end  
of this mail find a .diff between buster..master.

I wasn't sure about the D-I / entropy related changes between 2.10.65  
and 2.10.67 and if they were actually being targetted for the  
buster-pu or just for stable.

Please let me know, if "those" entropy commits need to get included or not.

Once we have agreed on a package version to upload to buster, I will  
compose the buster srm bug report for it.

Please give feedback. Thanks!

Mike

```
[mike@minobo d-e-c (buster)]$ git diff buster..master | cat
diff --git a/debian/changelog b/debian/changelog
index b78cc1b7..c4c58cf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,59 +1,14 @@
-debian-edu-config (2.10.65+deb10u1) UNRELEASED; urgency=medium
+debian-edu-config (2.10.67) unstable; urgency=medium

    [ Wolfgang Schweer ]
-  * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes:  
#928756)
-    - Use PXE option 'ipappend 2' for LTSP client boot. This option  
makes sure
-      that all DHCP server information is getting through to LTSP clients.
-      (LTSP used this option before, but switched to 'ipappend 3' during the
-      Buster development cycle to ease setups with ProxyDHCP.)
-  * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
-    - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
-  * Set environment variable to deal with Firefox profile. (Closes: #930122)
-    This is a workaround for bug #930125, preventing firefox-esr  
startup issues
-    if the mozilla profile is on an NFS share).
-    - Ship share/debian-edu-config/edu-firefox-nfs with  
NSS_SDB_USE_CACHE="yes"
-      as content. Thanks to Mike Gabriel for spotting the issue and providing
-      this information.
-    - Add instructions to cf3/cf.workarounds to link the  
'edu-firefox-nfs' file
-      to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
-  * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
-    - While the reported arch is i686, LTSP uses i386. Set arch accordingly.
-  * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
-    - Remove outdated (and now wrong) logging section.
-  * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
-    - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
-      to changed behaviour of the ifupdown/dhclient/systemd  
combination and now
-      also causes the loss of a dynamically allocated ipv4 IP address  
after 20
-      to 30 minutes after booting.
-    - Add code to d/debian-edu-config.postinstall to implement the intended
-      hostname update just after rebooting the system after a change.
-    - Adjust Makefile.
-  * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
-    - Adjust share/debian-edu-config/tools/create-debian-edu-certs to  
copy the
-      rootCA file to the web server directory at certificate generation time.
-    - Adjust cf3/cf.finalize to care for the rootCA file as well.
-    - Adjust cf3/cf.workarounds to copy the rootCA file to the web server
-      directory upon main server upgrade.
-  * Add LDAP server certificate to the initial LTSP NBD image.  
(Closes: #932828)
-    - etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
-    - cf3/edu.cf: Define new class 'ltspimages'.
-    - cf3/cf.finalize: Add code to include the LDAP server  
certificate for all
-      possible use cases, to generate the image and to adjust various rights.
-  * Changes to debian-edu-config.fetch-ldap-cert from 2.10.67).
+  * Adjust debian/debian-edu-config.fetch-ldap-cert. (Closes: #934380)
      - Use independent conditions to make sure that the LDAP server  
certificate
-      is only downloaded once for both host and LTSP chroot. (Closes:  
#934380)
+      is only downloaded once for both host and LTSP chroot.
      - Add code to validate the LDAP server certificate in case the Debian Edu
        RootCA certificate is available for download.

    [ Mike Gabriel ]
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.66):
-    - Make the script (and with it Debian Edu buster workstations) work in a
-      Debian Edu environment where the main server (TJENER) is still  
on Debian
-      Edu 8 or 9. (Closes: #926933)
-    - Retrieve TJENER's PKI server certificate only once per host to improve
-      security. This re-introduces the behaviour of fetch-ldap-cert  
in stretch
-      and earlier. (Closes: #931413).
-  * Changes to debian-edu-config.fetch-ldap-cert (from 2.10.67):
+  * Code review debian-edu-config.fetch-ldap-cert:
      - White-space-only change: Fix broken and inconsistent indentations.
      - Fully inline-document fetch-ldap-cert script.
      - Add "-f" option to all curl calls that don't have it set so far.
@@ -80,7 +35,64 @@ debian-edu-config (2.10.65+deb10u1) UNRELEASED;  
urgency=medium
      - Do a simple validity check if a directory under /opt/ltsp really is
        a chroot (and e.g. not the SquashFS images' directory).

- -- Petter Reinholdtsen <[hidden email]>  Sat, 20 Apr 2019 07:53:26 +0200
+ -- Holger Levsen <[hidden email]>  Thu, 15 Aug 2019 16:20:50 +0200
+
+debian-edu-config (2.10.66) unstable; urgency=medium
+
+  [ Wolfgang Schweer ]
+  * Adjust ltsp-build-client/Debian-custom/001-ltsp-setting. (Closes:  
#928756)
+    - Use PXE option 'ipappend 2' for LTSP client boot. This option  
makes sure
+      that all DHCP server information is getting through to LTSP clients.
+      (LTSP used this option before, but switched to 'ipappend 3' during the
+      Buster development cycle to ease setups with ProxyDHCP.)
+  * Adjust share/debian-edu-config/sudo-ldap.conf. (Closes: #929964)
+    - Fix sudo-ldap configuration. (The LDAP URI is needed on LDAP clients.)
+  * Set environment variable to deal with Firefox profile. (Closes: #930122)
+    This is a workaround for bug #930125, preventing firefox-esr  
startup issues
+    if the mozilla profile is on an NFS share).
+    - Ship share/debian-edu-config/edu-firefox-nfs with  
NSS_SDB_USE_CACHE="yes"
+      as content. Thanks to Mike Gabriel for spotting the issue and providing
+      this information.
+    - Add instructions to cf3/cf.workarounds to link the  
'edu-firefox-nfs' file
+      to appropriate files below '/etc/X11/Xsession.d' and '/etc/profile.d'.
+  * Adjust cf3/cf.homes: Set correct LTSP chroot path. (Closes: #931680)
+    - While the reported arch is i686, LTSP uses i386. Set arch accordingly.
+  * Adjust share/debian-edu-config/tools/kerberos-kdc-init. (Closes: #931366)
+    - Remove outdated (and now wrong) logging section.
+  * Add LDAP server certificate to the initial LTSP NBD image.  
(Closes: #932828)
+    - etc/ltsp/ltsp-build-client.conf: Don't create the image by default.
+    - cf3/edu.cf: Define new class 'ltspimages'.
+    - cf3/cf.finalize: Add code to include the LDAP server  
certificate for all
+      possible use cases, to generate the image and to adjust various rights.
+  * Provide Debian Edu RootCA certificate for download. (Closes: #933183)
+    - Adjust share/debian-edu-config/tools/create-debian-edu-certs to  
copy the
+      rootCA file to the web server directory at certificate generation time.
+    - Adjust cf3/cf.finalize to care for the rootCA file as well.
+    - Adjust cf3/cf.workarounds to copy the rootCA file to the web server
+      directory upon main server upgrade.
+  * Fix loss of dynamically allocated v4 IP address. (Closes: #933580)
+    - Drop etc/network/if-up.d/hostname. This script doesn't work anymore due
+      to changed behaviour of the ifupdown/dhclient/systemd  
combination and now
+      also causes the loss of a dynamically allocated ipv4 IP address  
after 20
+      to 30 minutes after booting.
+    - Add code to d/debian-edu-config.postinstall to implement the intended
+      hostname update just after rebooting the system after a change.
+    - Adjust Makefile.
+
+  [ Mike Gabriel ]
+  * debian/debian-edu-config.fetch-ldap-cert: Make the script (and with it
+    Debian Edu buster workstations) work in a Debian Edu environment where
+    the main server (TJENER) is still on Debian Edu 8 or 9. (Closes: #926933)
+  * debian/debian-edu-config.fetch-ldap-cert: Retrieve TJENER's PKI server
+    certificate only once per host to improve security. This re-introduces
+    the behaviour of fetch-ldap-cert in stretch and earlier. (Closes:  
#931413).
+
+  [ Holger Levsen ]
+  * Drop obsolete code in d-i/finish-install now that d-i uses haveged (via a
+    newly introduced udeb) or a hardware RNG. (See #923675).
+  * Bump standards version to 4.4.0, no changes needed.
+
+ -- Holger Levsen <[hidden email]>  Sat, 10 Aug 2019 11:41:47 +0200

  debian-edu-config (2.10.65) unstable; urgency=medium

diff --git a/debian/control b/debian/control
index d1e88c94..1ec1999b 100644
--- a/debian/control
+++ b/debian/control
@@ -7,7 +7,7 @@ Uploaders: Petter Reinholdtsen <[hidden email]>,
             Mike Gabriel <[hidden email]>,
             Wolfgang Schweer <[hidden email]>,
             Dominik George <[hidden email]>,
-Standards-Version: 4.3.0
+Standards-Version: 4.4.0
  Rules-Requires-Root: no
  Build-Depends: debhelper-compat (= 11)
  Build-Depends-Indep: po-debconf,
diff --git a/share/debian-edu-config/d-i/finish-install  
b/share/debian-edu-config/d-i/finish-install
index 3422ecdd..973c3dc3 100644
--- a/share/debian-edu-config/d-i/finish-install
+++ b/share/debian-edu-config/d-i/finish-install
@@ -37,30 +37,6 @@ PROFILE="$RET"
  # easier to track our changes
  edu-etcvcs commit

-# Try to add entropy when running low
-(
-   cd /
-   while true ; do
-       entropy="$(cat /proc/sys/kernel/random/entropy_avail)"
-       if [ 130 -gt "$entropy" ] ; then
-           log "low on entropy, pool is $entropy. trying to add more"
-           # Disk IO add entropy to the kernel.  Flush cache to ensure
-           # find and touch/rm causes disk IO.
-           sync
-           echo 3 > /proc/sys/vm/drop_caches
-           find /target > /dev/null || true
-           touch /target/var/tmp/foo
-           sync
-           rm /target/var/tmp/foo
-           sync
-           entropy="$(cat /proc/sys/kernel/random/entropy_avail)"
-           log "entropy pool is $entropy after trying to add"
-       fi
-       sleep 20
-   done
-) < /dev/null 2>&1 3>/dev/null 4>&3 5>&3 6>&3 | logger -t edu-entropy-add &
-epid=$!
-
  # Make the installation look more like a finished system, to make sure
  # debconf-get-selections --installer work.
  . /usr/lib/finish-install.d/94save-logs
@@ -110,13 +86,6 @@ db_set debian-edu-config/kdc-password '' || true
  db_set debian-edu-config/kdc-password-again '' || true
  log "info: Ensuring KDC and LDAP passwords are cleared from debconf database"

-# Ignore errors in case the entropy gathering is no longer running
-if kill $epid ; then
-    :
-else
-    log "error: killing the entropy gathering job failed - exited?"
-fi
-
  echo "info: processes using mount point below /target"
  mountpoints="$(grep " /target" /proc/mounts | cut -d" " -f2 | sed  
s%/target%%g)"
  LANG=C chroot /target fuser -mv $mountpoints 2>&1 | sed 's/^/info: /'

```
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: [hidden email], http://das-netzwerkteam.de


attachment0 (868 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: debian-edu-config_2.10.67_source.changes ACCEPTED into unstable

Holger Levsen-2
Hi Mike,

On Mon, Aug 19, 2019 at 08:00:05PM +0000, Mike Gabriel wrote:
> I have put together a buster branch for debian-edu-config. At the end of
> this mail find a .diff between buster..master.

cool, thanks for this! (I wont have time for review now though, cccamp
is being too noisy atm.)

> I wasn't sure about the D-I / entropy related changes between 2.10.65 and
> 2.10.67 and if they were actually being targetted for the buster-pu or just
> for stable.
>
> Please let me know, if "those" entropy commits need to get included or not.

I believe either is fine.

> Once we have agreed on a package version to upload to buster, I will compose
> the buster srm bug report for it.

2.10.65+deb10u1 is good.


--
cheers,
        Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

signature.asc (849 bytes) Download Attachment