Page MenuHomePhabricator

Add security apt security suites to pbuilder base images
Closed, ResolvedPublic

Description

Currently the /etc/apt/sources.list for the pbuilder base images are missing entries for the security suites. Theses files should be updated and managed by puppet. The files currently live under

/var/cache/pbuilder/base-*cow/

Event Timeline

jbond created this task.Apr 3 2019, 3:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 3 2019, 3:22 PM
jbond added a comment.Apr 4 2019, 9:08 AM

we will also need to configure http proxy for the security updates

Currently the /etc/apt/sources.list for the pbuilder base images are missing entries for the security suites. Theses files should be updated and managed by puppet.

Why though? When creating that puppet module I avoided that on purpose, relying on the fact that security updates would anyway be making it to our hosts and package names for that remain constant. That assumption might not be true anymore, or I may very well have erred back then, but I 'd like to know which of the 2 (or something else entirely) it is.

Currently the /etc/apt/sources.list for the pbuilder base images are missing entries for the security suites. Theses files should be updated and managed by puppet.

Why though? When creating that puppet module I avoided that on purpose, relying on the fact that security updates would anyway be making it to our hosts and package names for that remain constant. That assumption might not be true anymore, or I may very well have erred back then, but I 'd like to know which of the 2 (or something else entirely) it is.

This is needed for jessie, it's in LTS stage, so packages only get updated/added to jessie-security (the original jessie is frozen). Jessie LTS added a clang-4.0 package (used to build the Rust-based Firefox packages), which we need for a different package, but with the current setup pbuilder doesn't see it as it's only in jessie-security.

Currently the /etc/apt/sources.list for the pbuilder base images are missing entries for the security suites. Theses files should be updated and managed by puppet.

Why though? When creating that puppet module I avoided that on purpose, relying on the fact that security updates would anyway be making it to our hosts and package names for that remain constant. That assumption might not be true anymore, or I may very well have erred back then, but I 'd like to know which of the 2 (or something else entirely) it is.

This is needed for jessie, it's in LTS stage, so packages only get updated/added to jessie-security (the original jessie is frozen). Jessie LTS added a clang-4.0 package (used to build the Rust-based Firefox packages), which we need for a different package, but with the current setup pbuilder doesn't see it as it's only in jessie-security.

Ah, so jessie-security is partly behaving like backports in a sense. OK, so my assumption wasn't entirely correct. Thanks for explaining it. Would it make sense to if guard this somehow for jessie specifically, or some other tunable? Or would it just make things worse?

Ah, so jessie-security is partly behaving like backports in a sense. OK, so my assumption wasn't entirely correct. Thanks for explaining it. Would it make sense to if guard this somehow for jessie specifically, or some other tunable? Or would it just make things worse?

Right now this only applies to jessie, so we could guard it for jessie. In about 1.5 years when stretch turns into LTS we'll also need this for stretch, but we can adapt when the time has come.

Change 501163 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] pbuilder: add security updates repository

https://gerrit.wikimedia.org/r/501163

jbond triaged this task as Normal priority.Apr 4 2019, 2:02 PM

Change 501163 merged by Jbond:
[operations/puppet@production] pbuilder: add security updates repository

https://gerrit.wikimedia.org/r/501163

Change 501535 had a related patch set uploaded (by Jbond; owner: John Bond):
[operations/puppet@production] package-builder: export hook variable

https://gerrit.wikimedia.org/r/501535

Change 501535 merged by Jbond:
[operations/puppet@production] package-builder: export hook variable

https://gerrit.wikimedia.org/r/501535

jbond closed this task as Resolved.Apr 10 2019, 12:11 PM