I haven’t posted anything last week because we were at Debconf19, happening in Curitiba/Brazil. It was quite a good experience watching so many different presentations. From all of them I would recommend as “should definitely watch” the following:
Using Git for Ubuntu Packaging from @ahasenack.
How Ubuntu and Debian packages are structured from @ahasenack.
Apt 2.0 and other news from @juliank.
One git to package them all, and on salsa.
- Reproducible Builds
Secure Boot in Debian Buster. Really.
State of RDMA in Debian.
(Thanks Mellanox Engineers for answering so many questions from myself).
Symbolic Execution of Maintainers Scripts.
- Whats new in the Linux Kernel
LP: #1828495 is the public bug @paelzer and I are making QEMU changes for different HW security mitigations of new CPUs (Intel xxxLake CPUs). Christian has merged a pretty recent QEMU version into Eoan and we’ve been working in backporting the security features (+arch-capabilities,+ssbd,+md-clear,+rdctl-no,+ibrs-all,+skip-l1dfl-vmentry,+mds-no -m 2048 -realtime mlock=off ) to Disco and Bionic.
Bionic is already in -proposed and we missed MDS-NO feature, so we included it in qemu 1:2.11+dfsg-1ubuntu7.17 and also pushed it into -proposed repo. Disco already had the MDS-NO patch so its -proposed version, 1:3.1+dfsg-2ubuntu3.3, was already good.
If you want to check how to enable those features (without the libvirt support, which we’re working on) you can check comment #50 for Bionic and comment #46 for Ubuntu Disco.
We are going to create a wiki page specifying exactly how to enable the mitigation flags in order to tell KVM guests which HW mitigations are supported for the specified vCPU.
Ubuntu HA Work
Our focus now is basically clean up the autopkgtest regressions we had in the new corosync and pacemaker versions. Dependant packages had their tests failing because of multiple reasons and I’m cleaning those.
An example is that our autopkgtest environment for armhf architecture runs in an unprivileged container and corosync now needs to set memlock limits in the beginning (in the new version test checks for capabilities and skips instead of failing).
@rbasak has done a huge amount of work to upgrade MySQL to 8 in Ubuntu Eoan. This week I have helped this effort just a bit, with 2 related packages:
- dbconfig-common (Upstream Debian Merge Request): Because of cacti (2) I had to create a debconf variable to set MySQL authentication plugin to be used by dbconfig-common consumers. Because of MySQL 8 changes, ALTER SQL commands had to be altered also.
- cacti (Upstream Debian Merge Request and Upstream Merge Request): MySQL 8 does not allow ALTER to create a USER by default anymore AND its default authentication plugin is caching_sha2_password, not supported by some PHP packages.