Closed grahamperrin closed 3 years ago
probonopd
commented
3 years ago Keep in mind that we cannot use quarterly packages because packages can disappear there from one day to the next, preventing us from doing ISO builds.
And we can only switch to 12.2 once we have a compatible Intel DRM package.
Which means (if I am not mistaken) that we can only switch to 12.2 once the Intel DRM package in last quarter's packages is compatible with 12.2.
So, at least another quarter to wait?
grahamperrin
commented
3 years ago … packages can disappear … from one day to the next, …
Disappearances should be infrequent (and annoyances should be avoidable). Maybe raise a separate issue for this, for a focused investigation that's not scattered across multiple issues.
… compatible Intel DRM package. …
Above, kldload /boot/modules/i915kms.ko – is this kernel module not what's required?
probonopd
commented
3 years ago Above, kldload /boot/modules/i915kms.ko – is this kernel module not what's required?
I think it is - but does it work? https://github.com/helloSystem/ISO/issues/1
grahamperrin
commented
3 years ago From https://github.com/helloSystem/docs/commit/54147195c7c96095fc2e3a656be3acfbd829d147:
- exFAT (Windows) once available in quarterly packages
– and:
- EXT4 (Linux) once available in quarterly packages
https://github.com/vermaden/automount describes sysutils/fusefs-ext4fuse, https://www.freshports.org/sysutils/fusefs-ext4fuse/#history that's removed ∴ https://github.com/vermaden/automount/pull/26
Instead: sysutils/fusefs-ext2.
Available, logged:
grahamperrin
commented
3 years ago https://github.com/helloSystem/ISO/commit/f73b9d6bf78d0fbf04e9ae74f25ac74bcacea0d9 hello-0.5.0_0E5-FreeBSD-12.2-amd64.iso pre-release currently at https://github.com/helloSystem/ISO/releases/tag/experimental-12.2 is:
12.2-RELEASE12.2-RELEASE-p3grahamperrin
commented
3 years ago @probonopd I suspect, no not great value in having hello-0.5.0_0E5-FreeBSD-12.2-amd64.iso alongside hello-0.5.0_0E5-FreeBSD-12.1-amd64.iso …
… consider withdrawing hello-0.5.0_0E5-FreeBSD-12.2-amd64.iso.
Thanks
probonopd
commented
3 years ago For me the question is which FreeBSD version the next helloSystem version, 0.5.0 (~March 2021) should be based on. The experimental builds right now are building towards the upcoming 0.5.0. (The mid-term question will be whether 1.0.0 will be 13-based...).
I must have overlooked the difference between RELEASE and RELEASE-p3 (still leearning FreeBSD versioning). What I am looking for is "the latest security-patched RELEASE in the 12 series" - ideally without having to manually track p1, p2,... (is there a wy to say "latest 12 RELEASE"?)
And the question is, can any 12 later than 12.2 currently work properly (including Intel GPU drivers) with last quarter's packages (because quarterly seems to have missing packages from one day to the next)?
probonopd
commented
3 years ago freebsd-12-2-release-p3-amd64 does not exist as an instance name on Cirrus CI (which is using Google Cloud Computing Engine instances).
grahamperrin
commented
3 years ago
freebsd-12-2-release-p3-amd64does not exist as an instance name on Cirrus CI …
helloSystem documentation refers to https://cirrus-ci.com/ but it's somewhat mysterious.
How can I tell what does exist?
https://github.com/helloSystem/ISO/issues/135#issuecomment-780735139
say "latest 12 RELEASE"
freebsd-update upgrade -r 12.2-RELEASE
12.2-RELEASE, which is currently patch level 3 i.e. 12.2-RELEASE-p3. Thanks to debdrup in freenode (@debdrup in GitHub?) I recently learnt of this unnoficial page:
Under https://bokut.in/freebsd-patch-level-table/#releng/12.2
12.2-RELEASE-p2 with reference to its one related SA12.2-RELEASE-p3 with reference to its two related SAs. Posted to Reddit, unfortunately neither post was allowed:
grahamperrin
commented
3 years ago … can any 12 later than 12.2 currently work properly … with last quarter's packages …
It's simple to test this for yourself with hello-0.5.0_0E6-FreeBSD-12.2-amd64.iso and VirtualBox. I'll make a screen recording to help you …
grahamperrin
commented
3 years ago It's simple
Unfortunately not. This is a show-stopper to reasonable testing:
For my everyday system with 2,019 packages from latest, few vulnerabilities:
root@mowa219-gjp4-8570p:~ # grep url /etc/pkg/FreeBSD.conf
url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
root@mowa219-gjp4-8570p:~ # pkg audit --quiet
openexr-2.5.4
ilmbase-2.5.4
root@mowa219-gjp4-8570p:~ # pkg audit --recursive
openexr-2.5.4 is vulnerable:
openexr, ilmbase -- security fixes related to reading corrupted input files
WWW: https://vuxml.FreeBSD.org/freebsd/98044aba-6d72-11eb-aed7-1b1b8a70cc8b.html
Packages that depend on openexr: gimp-app, gimp, gimp-gutenprint, opencv,
digikam, frei0r-plugins-opencv, frei0r-plugins, kdenlive, kdemultimedia,
shotcut, gegl, gnome-photos, gnome-utils, gnome3, kio-extras, dolphin,
kf5-kimageformats
ilmbase-2.5.4 is vulnerable:
openexr, ilmbase -- security fixes related to reading corrupted input files
WWW: https://vuxml.FreeBSD.org/freebsd/98044aba-6d72-11eb-aed7-1b1b8a70cc8b.html
Packages that depend on ilmbase: gimp-app, gimp, gegl, gnome-photos, kio-extras,
dolphin, kf5-kimageformats
2 problem(s) in 2 installed package(s) found.
root@mowa219-gjp4-8570p:~ # For helloSystem with some packages from release_2:
date ; uptime ; uname -a
Wed Feb 17 23:58:27 EST 2021
11:58PM up 1:20, 0 users, load averages: 0.39, 0.39, 0.42
FreeBSD FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC amd64
root@FreeBSD:/usr/home/liveuser # freebsd-version -kru
12.2-RELEASE-p3
12.2-RELEASE
12.2-RELEASE-p3
root@FreeBSD:/usr/home/liveuser # pkg audit --quiet | sort
curl-7.72.0
freetype2-2.10.2_1
jasper-2.0.21
libexif-0.6.21_5
mysql57-client-5.7.31_1
mysql57-server-5.7.31_1
p11-kit-0.23.21
raptor2-2.0.15_14
samba410-4.10.18
sudo-1.9.3p1
tmux-3.1b
xorg-server-1.20.9,1
root@FreeBSD:/usr/home/liveuser # Worst amongst those might be sudo, the fix for which is already in latest and quarterly for FreeBSD:11:amd64 FreeBSD:12:amd64 FreeBSD:13:amd64 and FreeBSD:14:amd64:
pkg audit --recursive
samba410-4.10.18 is vulnerable:
samba -- Multiple Vulnerabilities
CVE: CVE-2020-14383
CVE: CVE-2020-14323
CVE: CVE-2020-14318
WWW: https://vuxml.FreeBSD.org/freebsd/9ca85b7c-1b31-11eb-8762-005056a311d1.html
Packages that depend on samba410: gvfs
xorg-server-1.20.9,1 is vulnerable:
xorg-server -- Multiple input validation failures in X server XKB extension
CVE: CVE-2020-25712
CVE: CVE-2020-14360
WWW: https://vuxml.FreeBSD.org/freebsd/76c8b690-340b-11eb-a2b7-54e1ad3d6335.html
Packages that depend on xorg-server: slim, xf86-video-vesa, xf86-video-scfb,
xf86-video-cirrus, xf86-video-ati, xf86-input-mouse, xf86-input-libinput,
xf86-input-keyboard, xf86-input-evdev
libexif-0.6.21_5 is vulnerable:
libexif -- multiple vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/cff0b2e2-0716-11eb-9e5d-08002728f74c.html
Packages that depend on libexif: lximage-qt, libfm-qt, libgphoto2, gvfs
freetype2-2.10.2_1 is vulnerable:
freetype2 -- heap buffer overlfow
CVE: CVE-2020-15999
WWW: https://vuxml.FreeBSD.org/freebsd/458df97f-1440-11eb-aaec-e0d55e2a8bf9.html
Packages that depend on freetype2: libreoffice, openjdk8, wx31-gtk3, audacity,
gstreamer1-plugins-a52dec, gstreamer1-plugins-core, gstreamer1-plugins-mpg123,
gstreamer1-plugins-png, gstreamer1-plugins-dts, gstreamer1-plugins-dvdread,
gstreamer1-plugins-resindvd, gstreamer1-plugins-theora,
gstreamer1-plugins-pango, gstreamer1-plugins-ugly, gstreamer1-plugins-good,
gstreamer1-plugins-vorbis, openbox, slim, qt5-webengine, xterm, poppler-qt5,
qpdfview, imlib2, gstreamer1-plugins-ogg, tk86, ssvnc, tk-wrapper, poppler,
ghostscript9-agpl-base, libgd, libgphoto2, webkit2-gtk3, gstreamer1-plugins-gl,
harfbuzz-icu, gtk3, libcanberra-gtk3, kf5-knotifications, kf5-purpose,
kf5-kparts, kf5-kio, kf5-kwallet, falkon, kaccounts-integration,
signon-kwallet-extension, kf5-kdewebkit, libappindicator, screenkey, arandr,
libdbusmenu, gnome-online-accounts, gvfs, libgdata, gcr, librsvg2, ffmpeg,
gstreamer1-libav, mpv, webcamoid, libass, gstreamer1-plugins-bad,
qt5-multimedia, libXfont2, xorg-server, gstreamer1-plugins, qt5-webkit,
signon-ui, kf5-kdesignerplugin, akonadi, pango, libcanberra, redshift, dunst,
djvulibre, gnome-mount, policykit-gnome, gconf2, adwaita-icon-theme, gtk2,
cairo, libspectre, py37-gobject3, libaccounts-glib, libaccounts-qt5,
accounts-qml-module, system-config-printer, graphene, py37-cairo, libXft, lmms,
fltk, qt5-gui, ksnip, kImageAnnotator, kf5-kirigami2, kf5-kcmutils, signon-qt5,
signon-plugin-oauth2, kf5-kdeclarative, qt5-designer, kf5-kplotting,
kf5-kbookmarks, kf5-solid, kf5-kded, kf5-kjobwidgets, kf5-kxmlgui, pinentry-qt5,
kf5-attica, kf5-ktextwidgets, kf5-kglobalaccel, phonon-qt5, kf5-sonnet,
qt5-speech, kf5-kservice, kf5-kiconthemes, kf5-kcompletion, kf5-kcrash,
kf5-kitemviews, kf5-kconfigwidgets, kf5-kauth, kf5-kguiaddons, kf5-kconfig,
kf5-kpackage, kf5-kwidgetsaddons, qt5-uitools, qt5-uiplugin, py37-qt5-webengine,
qt5-assistant, lximage-qt, featherpad, qterminal, dsbmixer, lxqt-globalkeys,
qt5-graphicaleffects, libdbusmenu-qt5, kf5-kdbusaddons, py37-qt5-printsupport,
py37-qt5-webchannel, qt5-help, libfm-qt, qtermwidget, liblxqt, qt5-location,
polkit-qt-1, libqtxdg, kf5-kwindowsystem, py37-qt5-qml, qt5-x11extras,
py37-qt5-widgets, hello, wpa_supplicant_gui, py37-qt5-gui, qt5-quickcontrols,
qt5-quickcontrols2, qt5-svg, qt5-imageformats, qt5-opengl, qt5-declarative,
kf5-kitemmodels, qt5-sensors, kf5-ki18n, kf5-kdoctools, qt5-webchannel,
qscintilla2-qt5, py37-qt5-dbus, py37-qt5-network, py37-qt5-core,
qt5-printsupport, qt5-widgets, kColorPicker, harfbuzz, fontconfig, mkfontscale,
crosextrafonts-caladea, crosextrafonts-carlito, GentiumBasic, linuxlibertine-g,
twemoji-color-font-ttf, font-awesome, wqy-fonts, liberation-fonts-ttf, dejavu,
xorg-fonts-truetype, font-bh-ttf, font-misc-ethiopic, font-misc-meltho
raptor2-2.0.15_14 is vulnerable:
raptor2 -- buffer overflow
CVE: CVE-2017-18926
WWW: https://vuxml.FreeBSD.org/freebsd/07c7ae7a-224b-11eb-aa6e-e0d55e2a8bf9.html
Packages that depend on raptor2: libreoffice, redland, rasqal
jasper-2.0.21 is vulnerable:
jasper -- heap overflow vulnerability
CVE: CVE-2020-27828
WWW: https://vuxml.FreeBSD.org/freebsd/85349584-3ba4-11eb-919d-08002728f74c.html
Packages that depend on jasper: qt5-imageformats
p11-kit-0.23.21 is vulnerable:
p11-kit -- Multiple vulnerabilities
CVE: CVE-2020-29363
CVE: CVE-2020-29362
CVE: CVE-2020-29361
WWW: https://vuxml.FreeBSD.org/freebsd/fdc49972-3ca7-11eb-929d-d4c9ef517024.html
Packages that depend on p11-kit: gvfs, libgdata, gnome-online-accounts, gcr,
glib-networking, libsoup-gnome, libsoup, gnutls
curl-7.72.0 is vulnerable:
cURL -- Multiple vulnerabilities
CVE: CVE-2020-8286
CVE: CVE-2020-8285
CVE: CVE-2020-8284
WWW: https://vuxml.FreeBSD.org/freebsd/3c77f139-3a09-11eb-929d-d4c9ef517024.html
Packages that depend on curl: libreoffice, libcmis, raptor2, mysql57-server,
akonadi, mysql57-client, qt5-sqldrivers-mysql, hw-probe, py37-pycurl,
system-config-printer, liboauth, libgdata, git-lite
mysql57-server-5.7.31_1 is vulnerable:
MySQL -- Multiple vulnerabilities
CVE: CVE-2020-14771
CVE: CVE-2020-14791
CVE: CVE-2020-14860
CVE: CVE-2020-14838
CVE: CVE-2020-14873
CVE: CVE-2020-14867
CVE: CVE-2020-14870
CVE: CVE-2020-14672
CVE: CVE-2020-14869
CVE: CVE-2020-14799
CVE: CVE-2020-14844
CVE: CVE-2020-14790
CVE: CVE-2020-14786
CVE: CVE-2020-14893
CVE: CVE-2020-14891
CVE: CVE-2020-14888
CVE: CVE-2020-14868
CVE: CVE-2020-14866
CVE: CVE-2020-14861
CVE: CVE-2020-14845
CVE: CVE-2020-14839
CVE: CVE-2020-14837
CVE: CVE-2020-14809
CVE: CVE-2020-14794
CVE: CVE-2020-14793
CVE: CVE-2020-14785
CVE: CVE-2020-14777
CVE: CVE-2020-14773
CVE: CVE-2020-14812
CVE: CVE-2020-14804
CVE: CVE-2020-14789
CVE: CVE-2020-14814
CVE: CVE-2020-14852
CVE: CVE-2020-14848
CVE: CVE-2020-14829
CVE: CVE-2020-14821
CVE: CVE-2020-14776
CVE: CVE-2020-14760
CVE: CVE-2020-14827
CVE: CVE-2020-14800
CVE: CVE-2020-14846
CVE: CVE-2020-14836
CVE: CVE-2020-14830
CVE: CVE-2020-14769
CVE: CVE-2020-14765
CVE: CVE-2020-14775
CVE: CVE-2020-14828
CVE: CVE-2020-14878
WWW: https://vuxml.FreeBSD.org/freebsd/4fba07ca-13aa-11eb-b31e-d4c9ef517024.html
mysql57-server-5.7.31_1 is vulnerable:
MySQL -- Multiple vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/31344707-5d87-11eb-929d-d4c9ef517024.html
Packages that depend on mysql57-server: akonadi
sudo-1.9.3p1 is vulnerable:
sudo -- Potential information leak in sudoedit
CVE: CVE-2021-23239
WWW: https://vuxml.FreeBSD.org/freebsd/6193b3f6-548c-11eb-ba01-206a8a720317.html
sudo-1.9.3p1 is vulnerable:
sudo -- Multiple vulnerabilities
CVE: CVE-2021-3156
WWW: https://vuxml.FreeBSD.org/freebsd/f3cf4b33-6013-11eb-9a0e-206a8a720317.html
Packages that depend on sudo:
tmux-3.1b is vulnerable:
tmux -- stack overflow in CSI parsing
WWW: https://vuxml.FreeBSD.org/freebsd/8827134c-1a8f-11eb-9bb0-08002725d892.html
Packages that depend on tmux:
mysql57-client-5.7.31_1 is vulnerable:
MySQL -- Multiple vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/31344707-5d87-11eb-929d-d4c9ef517024.html
Packages that depend on mysql57-client: libreoffice, mysql57-server, qt5-sqldrivers-mysql
14 problem(s) in 12 installed package(s) found.
root@FreeBSD:/usr/home/liveuser # This means that we really need to find a way to make quarterly work for us, rather than having to use last quarter's packages...
If only this could be solved FreeBSD-wide. I would really rather not want to have to maintain a private mirror of the packages.
grahamperrin
commented
3 years ago … I would really rather not want to have to maintain a private mirror of the packages.
▶ https://github.com/helloSystem/ISO/issues/141#issuecomment-778791853
grahamperrin
commented
3 years ago With reference to 12.2-RELEASE-p4:
FreeBSD-EN-21:08.freebsd-update fixes the bug that caused https://github.com/helloSystem/ISO/issues/115 https://github.com/helloSystem/ISO/issues/136 and https://github.com/helloSystem/ISO/issues/137
https://github.com/helloSystem/ISO/commit/1744e6d141b91c61897f423ef815965908a85e15 prevents upgrades to packages with helloSystem and so, increases the risk of problems. Again: please revert this commit; it's excessive.
probonopd
commented
3 years ago When deciding on whether to base the next version on 12.x or on 13, we need to factor in that GPU acceleration may be severly limited in 13:
https://github.com/helloSystem/ISO/issues/22#issuecomment-790815426
Also, this currently blocks us from using 13: https://github.com/helloSystem/ISO/issues/32
(Unless we can get rid of gvfs which would be the best solution)
probonopd
commented
3 years ago 0.5.0 will be based on 12.2 thanks to the help of @crees with the Intel GPU driver.
I don't know about -p4 or how to download it.
grahamperrin
commented
3 years ago Thanks,
I don't know about
-p4
https://github.com/helloSystem/ISO/issues/135#issuecomment-781002580 above described patch levels and security advisories and:
patch level 3 i.e. 12.2-RELEASE-p3.
– so -p4 is patch level 4.
https://github.com/helloSystem/ISO/issues/135#issuecomment-784972239 above listed, and linked to, the four security vulnerabilities that were fixed at patch level 4.
I don't have a readily available list of security vulnerabilities that were fixed by levels 1, 2 or 3.
12.2-RELEASE is a huge step in the right direction ☑ however it lacks some security (through lack of all patches) and if I'm not mistaken:
If you'll prevent updates to the non-patched system, then you'll force users to be without fixes for security vulnerabilities. This is somewhat inconsistent with the welcome to the system, which mentions security:
A truly secure system involves much more than end-to-end encryption.
The prevention of package upgrades by https://github.com/helloSystem/ISO/commit/1744e6d141b91c61897f423ef815965908a85e15 is more than a security concern. It is, moreover, deeply inconsistent with the promised freedom to load software without restrictions.
Prevention is working against me, not for me.
probonopd
commented
3 years ago Indeed. Will look into it. Opening a separate issue.
grahamperrin
commented
3 years ago Thanks.
Briefly:
-p4or how to download it.
I should assume that all post -p4 snapshots of STABLE are suitably patched; and more than stable enough for early development of helloSystem.
https://download.freebsd.org/ftp/snapshots/amd64/amd64/ISO-IMAGES/12.2/
probonopd
commented
3 years ago Patching the contents of the ISO is probably futile, because at the time when the user installs the ISO of the helloSystem release there are already new patches available. So allowing the user to patch the installed system could possibly make sense, see my thoughts in https://github.com/helloSystem/Utilities/issues/33#issuecomment-800472572 though.
grahamperrin
commented
3 years ago https://github.com/helloSystem/ISO/issues/135#issuecomment-781002580
helloSystem documentation refers to cirrus-ci.com but it's somewhat mysterious.
How can I tell what does exist?
Found, a few weeks later:
probonopd
commented
3 years ago https://cirrus-ci.com/github/helloSystem/ shows all the builds that are going on, and their logs. Not something "mere mortals" should need to understand, but definitely interesting for helloSystem developers, testers, and power users ;-)
DRM
https://github.com/helloSystem/ISO/issues/1
From https://old.reddit.com/r/freebsd/comments/lgjuab/-/gn3t3qi/?context=1 for three relevant packages from
latest:OpenZFS
From https://github.com/helloSystem/ISO/issues/125#issuecomment-774700352:
FreeBSD
12.2-RELEASE-p3with the kernel module built from a12.2jail forquarterly:https://user-images.githubusercontent.com/192271/107828490-e29b4480-6d80-11eb-88eb-ee3f7a796fe3.mp4
ksnip
https://github.com/helloSystem/ISO/issues/17 (2020-11-21)
https://github.com/helloSystem/ISO/blob/9c09b32a5862fd31c7d5e584b66db9249756b090/settings/packages.hello#L68
A fixed version in
quarterly:https://www.freshports.org/graphics/ksnip#history
1.7.3_1committed 2020-12-30.