Debian Developers - Packaing Xen 3.0 etc for Debian

Author

Packaing Xen 3.0 etc for Debian

Matthew Grant

2006-02-26, 9:51 am

Ralph,

I am a Debian Maintainer who is seriously considering getting Xen into
Debian and Ubuntu.

I have been installing xen-unstable.hg from source on my AMD 64 and have
been impressed with its relative stability.

I am prepared to sponsor your packages into Debian if we can get them
cleaned up.

Other things I am looking at are special Xen source trees. We would
need the Debian security team to give us access to a patch repository
for all the Linux security patches. The trick is to get the security
fixes split out from all the other updates that come in the point
releases for the current vanila kernel.org tree. Patching Xen against
the standard Debian kernel tree may be asking for problems, so it is
better to work off a vanilla kernel.org tarball and xen-unstable.hg

What are your thoughts?

Regards,

Matthew Grant

--
Matthew Grant <grantma@anathoth.gen.nz>
Matthew's UNIX Box

Steve Langasek

2006-02-26, 9:51 am

On Fri, Feb 24, 2006 at 11:02:57PM +1300, Matthew Grant wrote:

> I am a Debian Maintainer who is seriously considering getting Xen into
> Debian and Ubuntu.

> I have been installing xen-unstable.hg from source on my AMD 64 and have
> been impressed with its relative stability.

> I am prepared to sponsor your packages into Debian if we can get them
> cleaned up.

> Other things I am looking at are special Xen source trees. We would
> need the Debian security team to give us access to a patch repository
> for all the Linux security patches.

What does this mean, exactly? The Debian security team doesn't maintain any
such patch repository, so I think any strategy that depends on them
implementing this for you is doomed to failure.

> The trick is to get the security fixes split out from all the other
> updates that come in the point releases for the current vanila kernel.org
> tree. Patching Xen against the standard Debian kernel tree may be asking
> for problems, so it is better to work off a vanilla kernel.org tarball and
> xen-unstable.hg

Patching Xen against something *other* than the standard Debian kernel tree
is asking for problems, because it means builds of an additional source
package for every security update, plus no guarantee that a given security
patch will apply cleanly to both trees, even *without* taking the Xen patch
itself into consideration.

Bastian Blank, a member of the Debian kernel team, is looking at integrating
XenoLinux builds into the official linux-2.6 package. I think that's a much
better option, and would strongly encourage anyone interested in Xen
packaging to coordinate with the kernel team on this.

(Yes, I'm aware there's a pkg-xen maintenance team on alioth as well; but
AFAICT the maintainer of the current xen package is not a member of that
packaging group, and there's no mention of xen on the wnpp bug page --
what's up with that?)

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/

Norbert Tretkowski

2006-02-26, 9:51 am

* Matthew Grant wrote:
> We would need the Debian security team to give us access to a patch
> repository for all the Linux security patches.

Those patches are in the kernel svn repository.

http://svn.debian.org/wsvn/kernel/d...debian/patches/

Norbert

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Bastian Blank

2006-02-26, 9:51 am

On Fri, Feb 24, 2006 at 11:02:57PM +1300, Matthew Grant wrote:
> I am a Debian Maintainer who is seriously considering getting Xen into
> Debian and Ubuntu.

The debian kernel team will maintain xen images with the linux-2.6
source. I currently prepare both xen 3.0 and unstable packages, which
can be hopefully uploaded today. Maintainer will be the kernel team, as
there are heavy dependencies between xen and the kernel.

> I am prepared to sponsor your packages into Debian if we can get them
> cleaned up.

Please don't.

Bastian

--
Sometimes a man will tell his bartender things he'll never tell his doctor.
-- Dr. Phillip Boyce, "The Menagerie" ("The Cage"),
stardate unknown.

Ralph Passgang

2006-02-26, 9:51 am

Am Freitag, 24. Februar 2006 11:02 schrieb Matthew Grant:
> Ralph,

Hi Matthew,

> I am a Debian Maintainer who is seriously considering getting Xen into
> Debian and Ubuntu.
>
> I have been installing xen-unstable.hg from source on my AMD 64 and have
> been impressed with its relative stability.
>
> I am prepared to sponsor your packages into Debian if we can get them
> cleaned up.

There is already a project on alioth, called pkg-xen, which exactly tries to
do this. We started with my package and have it (more or less) debian-policy
compatible now, but some minor things are still to do (afaik).

We are already three debian developers/maintainers + two external guys (I am
one of them) and have made some real process.

If you like you can join this project and help us getting xen3 into debian.

> Other things I am looking at are special Xen source trees. We would
> need the Debian security team to give us access to a patch repository
> for all the Linux security patches. The trick is to get the security
> fixes split out from all the other updates that come in the point
> releases for the current vanila kernel.org tree. Patching Xen against
> the standard Debian kernel tree may be asking for problems, so it is
> better to work off a vanilla kernel.org tarball and xen-unstable.hg

this is for example also a topic already discussed on the pkg-xen-devel list.
We will supply a patch for a vanilla 2.6.12 (at first) and might also provide
binary kernel-images in future (most likely if xen gets merged in the main
linux tree). If the xen project releases the next stable version with 2.6.16
we will switch to this version too.

> What are your thoughts?

My thoughts? Join the alioth-project and help us if you want. We are open to
new people that wants to help, so you are very welcome.

> Regards,
>
> Matthew Grant

regards,
Ralph

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Moritz Muehlenhoff

2006-02-26, 11:25 am

Matthew Grant wrote:
> 2) Their stable release uses a kernel that is not patched for security
> holes.

It is, the status of the currently prepared sarge2 update can be found at
http://wiki.debian.org/DebianKernelSargeUpdateStatus

> Fortunately, individual security fixes are almost all only small
> patches that are easily merged with any kernel tree with the editing of
> maybe 2 or 3 lines at worst. This means that any kernel tree should be
> easily maintainable, once the security fix patches are identified in the
> kernel.org git change-sets. =20
>
> This identification process has to be done at the moment for the current
> stable Debian kernel, so if the security fix patches where done by
> individual CVE, and documented with the kernel versions they are needed
> for,

We do track them by CVE ID:
http://svn.debian.org/wsvn/kernel/p...ing/?rev=0&sc=0

> any Xen kernel tree should be easily maintainable separately.

And who should do this? Kernel updates already consume way too much time,
the approach by Bastian with xen being a subflavour of the linux-2.6
source package seems the only feasible.

Cheers,
Moritz

--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Steve Langasek

2006-02-27, 2:49 am

On Sun, Feb 26, 2006 at 12:14:26PM +0100, Moritz Muehlenhoff wrote:
> Matthew Grant wrote:
[vbcol=seagreen]
> It is, the status of the currently prepared sarge2 update

He was referring to the stable release of *Xen*, which is based on Linux
2.6.12.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/