[libvirt] ANNOUNCE: libvirt 1.0.5.6 maintenance release
libvirt 1.0.5.6 maintenance release is now available. This is libvirt 1.0.5 with additional bugfixes that have accumulated upstream since the initial release. This release can be downloaded at: http://libvirt.org/sources/stable_updates/libvirt-1.0.5.6.tar.gz Changes in this version: * virsh: fix change-media bug on disk block type * Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) * Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) * Include process start time when doing polkit checks * qemuDomainChangeGraphics: Check listen address change by listen type * security: provide supplemental groups even when parsing label (CVE-2013-4291) * python: return dictionary without value in case of no blockjob * virbitmap: Refactor virBitmapParse to avoid access beyond bounds of array For info about past maintenance releases, see: http://wiki.libvirt.org/page/Maintenance_Releases Thanks, Cole
On Fri, Sep 20, 2013 at 06:48:04PM -0400, Cole Robinson wrote:
libvirt 1.0.5.6 maintenance release is now available. This is libvirt 1.0.5 with additional bugfixes that have accumulated upstream since the initial release.
This release can be downloaded at:
http://libvirt.org/sources/stable_updates/libvirt-1.0.5.6.tar.gz
Changes in this version:
* virsh: fix change-media bug on disk block type * Fix crash in remoteDispatchDomainMemoryStats (CVE-2013-4296) * Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)
The fix for this CVE is incomplete. There's a flaw in it affecting the ACL code, which I've just posted a followup fix for https://www.redhat.com/archives/libvir-list/2013-September/msg01244.html So we'll need a 1.0.5.7 release with this. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On Fri, Sep 20, 2013 at 06:48:04PM -0400, Cole Robinson wrote:
libvirt 1.0.5.6 maintenance release is now available. This is libvirt 1.0.5 with additional bugfixes that have accumulated upstream since the initial release.
The fix for this CVE is incomplete. There's a flaw in it affecting the ACL code, which I've just posted a followup fix for
https://www.redhat.com/archives/libvir-list/2013-September/msg01244.html
So we'll need a 1.0.5.7 release with this.
Huh? ACLs weren't added until 1.1.0, so I don't see how the typo added in ACL code can affect pre-ACL code. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Mon, Sep 23, 2013 at 08:09:50AM -0400, Eric Blake wrote:
On Fri, Sep 20, 2013 at 06:48:04PM -0400, Cole Robinson wrote:
libvirt 1.0.5.6 maintenance release is now available. This is libvirt 1.0.5 with additional bugfixes that have accumulated upstream since the initial release.
The fix for this CVE is incomplete. There's a flaw in it affecting the ACL code, which I've just posted a followup fix for
https://www.redhat.com/archives/libvir-list/2013-September/msg01244.html
So we'll need a 1.0.5.7 release with this.
Huh? ACLs weren't added until 1.1.0, so I don't see how the typo added in ACL code can affect pre-ACL code.
Opps, you're right. The identity infrastructure for ACLs existed, but was dormant. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Hi, On Fri, Sep 20, 2013 at 06:48:04PM -0400, Cole Robinson wrote:
libvirt 1.0.5.6 maintenance release is now available. This is libvirt 1.0.5 with additional bugfixes that have accumulated upstream since the initial release.
I would like to make a 0.9.12.1 tarball release like this too. Do we have the procedure documented somewhere. I'd assume: make distcheck git tag -m"Release of libvirt-0.9.12.1" v0.9.12.1 upload tarball send announcement mail Is there anything else to it? Is there a script doing this already? How are uploads permissions for new tarballs being handled? Cheers, -- Guido
On 09/23/2013 08:12 AM, Guido Günther wrote:
Hi, On Fri, Sep 20, 2013 at 06:48:04PM -0400, Cole Robinson wrote:
libvirt 1.0.5.6 maintenance release is now available. This is libvirt 1.0.5 with additional bugfixes that have accumulated upstream since the initial release.
I would like to make a 0.9.12.1 tarball release like this too. Do we have the procedure documented somewhere. I'd assume:
make distcheck git tag -m"Release of libvirt-0.9.12.1" v0.9.12.1 upload tarball send announcement mail
Is there anything else to it? Is there a script doing this already?
I basically do: - quick smoke test to make sure libvirt and virsh are working: -- stop system libvirtd -- sudo ./daemon/libvirt -- sudo ./tools/virsh list --all - make check && make rpm && make distcheck - cd po/ && make update-po - bump configure.ac - bump rpm spec - git tag v$VER -m "libvirt release $VER" - commit - git push && git push --tags - git clean -xdf && ./autogen.sh --system && make dist - upload tarball - update http://wiki.libvirt.org/page/Maintenance_Releases - send out announce mail How
are uploads permissions for new tarballs being handled?
DV set me up when I first started doing the releases, maybe Eric or Danpb have required permissions as well. - Cole
On Mon, Sep 23, 2013 at 01:36:40PM -0400, Cole Robinson wrote:
On 09/23/2013 08:12 AM, Guido Günther wrote:
Hi, On Fri, Sep 20, 2013 at 06:48:04PM -0400, Cole Robinson wrote:
libvirt 1.0.5.6 maintenance release is now available. This is libvirt 1.0.5 with additional bugfixes that have accumulated upstream since the initial release.
I would like to make a 0.9.12.1 tarball release like this too. Do we have the procedure documented somewhere. I'd assume:
make distcheck git tag -m"Release of libvirt-0.9.12.1" v0.9.12.1 upload tarball send announcement mail
Is there anything else to it? Is there a script doing this already?
I basically do:
- quick smoke test to make sure libvirt and virsh are working: -- stop system libvirtd -- sudo ./daemon/libvirt -- sudo ./tools/virsh list --all - make check && make rpm && make distcheck - cd po/ && make update-po - bump configure.ac - bump rpm spec - git tag v$VER -m "libvirt release $VER" - commit - git push && git push --tags - git clean -xdf && ./autogen.sh --system && make dist - upload tarball - update http://wiki.libvirt.org/page/Maintenance_Releases - send out announce mail
This helped a lot. I hope I didn't mess things up, thanks a bunch! -- Guido
On 10/01/2013 07:47 AM, Guido Günther wrote:
- quick smoke test to make sure libvirt and virsh are working: -- stop system libvirtd -- sudo ./daemon/libvirt -- sudo ./tools/virsh list --all - make check && make rpm && make distcheck - cd po/ && make update-po - bump configure.ac - bump rpm spec - git tag v$VER -m "libvirt release $VER" - commit - git push && git push --tags
Careful - this would push ALL tags, even unsigned tags or tags that are local-only. Instead, I would do: git push && git push origin v$VER which pushes the branch and JUST the newly-created version tag.
- git clean -xdf && ./autogen.sh --system && make dist - upload tarball - update http://wiki.libvirt.org/page/Maintenance_Releases - send out announce mail
This helped a lot. I hope I didn't mess things up, thanks a bunch!
Looks good; except I don't see the v0.9.12.1 tag pushed upstream yet. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Tue, Oct 01, 2013 at 10:04:56AM -0600, Eric Blake wrote:
On 10/01/2013 07:47 AM, Guido Günther wrote:
- quick smoke test to make sure libvirt and virsh are working: -- stop system libvirtd -- sudo ./daemon/libvirt -- sudo ./tools/virsh list --all - make check && make rpm && make distcheck - cd po/ && make update-po - bump configure.ac - bump rpm spec - git tag v$VER -m "libvirt release $VER" - commit - git push && git push --tags
Careful - this would push ALL tags, even unsigned tags or tags that are local-only. Instead, I would do:
git push && git push origin v$VER
I'm supercautious and use: git push libvirt.org v0.9.12-maint:v0.9.12-maint v0.9.12.2
which pushes the branch and JUST the newly-created version tag.
- git clean -xdf && ./autogen.sh --system && make dist - upload tarball - update http://wiki.libvirt.org/page/Maintenance_Releases - send out announce mail
This helped a lot. I hope I didn't mess things up, thanks a bunch!
Looks good; except I don't see the v0.9.12.1 tag pushed upstream yet.
It's here: http://libvirt.org/git/?p=libvirt.git;a=commit;h=ea095a4aac5ef5166baaa6a98f3... The issue is that (due to an error on my end caused by the failing make distcheck fixed by 38653834505eaf9d6d6221d90a3e61d5d3d95dbc) 0.9.12.1 wasn't cut from the branch head but from ea095a4aac5ef5166baaa6a98f352651defca5d9. Now that we have that fixed I released 0.9.12.2 and everything should be back to normal (and we hopefully don't need another 0.9.12.x soonish). Cheers, -- Guido
-- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Mon, Sep 23, 2013 at 01:36:40PM -0400, Cole Robinson wrote:
I basically do:
- quick smoke test to make sure libvirt and virsh are working: -- stop system libvirtd -- sudo ./daemon/libvirt -- sudo ./tools/virsh list --all - make check && make rpm && make distcheck - cd po/ && make update-po - bump configure.ac - bump rpm spec - git tag v$VER -m "libvirt release $VER" - commit - git push && git push --tags - git clean -xdf && ./autogen.sh --system && make dist - upload tarball - update http://wiki.libvirt.org/page/Maintenance_Releases - send out announce mail
It would be very nice if the announce mail included either a sha256 checksum for the tarball (thanks Guido for doing that in your recent release!), or a GPG key used to sign the release, see http://lwn.net/Articles/548857/ for more details about this. Christophe
On Wed, Oct 02, 2013 at 10:59:03AM +0200, Christophe Fergeau wrote:
On Mon, Sep 23, 2013 at 01:36:40PM -0400, Cole Robinson wrote:
I basically do:
- quick smoke test to make sure libvirt and virsh are working: -- stop system libvirtd -- sudo ./daemon/libvirt -- sudo ./tools/virsh list --all - make check && make rpm && make distcheck - cd po/ && make update-po - bump configure.ac - bump rpm spec - git tag v$VER -m "libvirt release $VER" - commit - git push && git push --tags - git clean -xdf && ./autogen.sh --system && make dist - upload tarball - update http://wiki.libvirt.org/page/Maintenance_Releases - send out announce mail
It would be very nice if the announce mail included either a sha256 checksum for the tarball (thanks Guido for doing that in your recent release!), or a GPG key used to sign the release, see http://lwn.net/Articles/548857/ for more details about this.
I sign the tag as well as the email so together with the checksums this builds the "chain of trust" (given you trust my gpg signature). A further improvement would be to build the tarballs first and then add the checksums as the commit message of the tag - I'll try to do that with the next 0.9.12.x release. This is the quick hack I'm currently using based on Cole's description - it sure needs further tweeking when doing further releases: --- #!/bin/bash # set -e if [ -z "$1" -o -z "$2" ]; then echo "Usage $0 version oldversion" exit 1 fi VERSION=$1 OLDVER=$2 TARBALL=libvirt-$1.tar.gz MD5=$(md5sum $TARBALL) SHA1=$(sha1sum $TARBALL) SHA256=$(sha256sum $TARBALL) git tag -s -m "libvirt release $VERSION" v$VERSION CHANGES=$(git log --no-merges --pretty=" %s (%an)" v$OLDVER..v$VERSION) cat <<EOF To: libvirt-list@redhat.com Cc: libvirt-announce@redhat.com Subject: ANNOUNCE: libvirt $VERSION maintenance release libvirt $VERSION maintenance release is now available. This is libvirt 0.9.12 with additional bugfixes that have accumulated upstream since the initial release. This release can be downloaded at: http://libvirt.org/sources/stable_updates/$TARBALL md5sum: $MD5 sha1: $SHA1 sha256: $SHA256 Changes in this release: $CHANGES For info about past maintenance releases, see: http://wiki.libvirt.org/page/Maintenance_Releases Cheers, -- Guido EOF
Hey, On Wed, Oct 02, 2013 at 08:12:24PM +0200, Guido Günther wrote:
It would be very nice if the announce mail included either a sha256 checksum for the tarball (thanks Guido for doing that in your recent release!), or a GPG key used to sign the release, see http://lwn.net/Articles/548857/ for more details about this.
I sign the tag as well as the email so together with the checksums this builds the "chain of trust" (given you trust my gpg signature). A further improvement would be to build the tarballs first and then add the checksums as the commit message of the tag - I'll try to do that with the next 0.9.12.x release.
Having the checksum of the tarball in a signed email archived in a totally different place than the server hosting the actual tarballs is already very good imo, I'm not sure it's worth complicating the process even further (but it wouldn't hurt if you do that I guess!) Christophe
participants (5)
-
Christophe Fergeau -
Cole Robinson -
Daniel P. Berrange -
Eric Blake -
Guido Günther