1. 10 Oct, 2018 1 commit
  2. 19 Sep, 2018 1 commit
  3. 01 Sep, 2018 1 commit
  4. 30 Aug, 2018 1 commit
    • intrigeri's avatar
      APT: pin intel-microcode/stretch-backports and binary packages built from... · 8f614cb7
      intrigeri authored
      APT: pin intel-microcode/stretch-backports and binary packages built from src:firmware-nonfree/sid to the same level as our custom APT repo.
      This allows us to upgrade these packages to a newer version than the one found
      in the currently used time-based APT snapshots, by uploading newer packages to
      our custom APT repo. But once the version in our time-based APT snapshots of
      respectively stretch-backports and sid becomes newer than the one in our custom
      APT repo, the former will supersede the latter.
  5. 29 Aug, 2018 1 commit
  6. 14 Aug, 2018 1 commit
  7. 08 Aug, 2018 1 commit
  8. 04 Aug, 2018 1 commit
  9. 01 Aug, 2018 1 commit
  10. 01 Jul, 2018 1 commit
  11. 28 Jun, 2018 1 commit
  12. 05 Jun, 2018 4 commits
  13. 26 May, 2018 1 commit
    • intrigeri's avatar
      Install virtualbox from our custom APT repository (refs: #15621) · 477e417f
      intrigeri authored
      As per https://labs.riseup.net/code/issues/12048#note-12:
      "we'll ship virtualbox-guest-x11 from sid as long as it's installable on
      Stretch; then we'll import the last working version in our custom APT repo.
      And if/when that last working version breaks (e.g. because we get a new xorg
      from stretch-backports and the virtualbox driver doesn't build against it
      anymore, there's no ABI compatibility between major X.Org versions, all drivers
      need to be rebuilt against the new one; it's happened a few times already that
      whatever virtualbox backport we were shipping wasn't compatible with the xorg
      from backports, etc.), then we'll reconsider and possibly drop
      VirtualBox support."
  14. 23 May, 2018 1 commit
  15. 29 Mar, 2018 1 commit
  16. 28 Mar, 2018 1 commit
  17. 16 Mar, 2018 1 commit
    • intrigeri's avatar
      Import current persistence-setup.git's and perl5lib.git's... · 9ecb8270
      intrigeri authored
      Import current persistence-setup.git's and perl5lib.git's feature/14594-asp-gui branches; accordingly add new package dependencies.
      Respectively at commit 85fe743ec9818bb77bb35dc133c019c955d02148
      and f10204fa5035ebae6a2e682ede3518c7e3dd245c.
  18. 10 Mar, 2018 1 commit
  19. 27 Feb, 2018 1 commit
  20. 26 Feb, 2018 5 commits
  21. 24 Feb, 2018 1 commit
  22. 23 Feb, 2018 1 commit
    • bertagaz's avatar
      Ship systemd from stretch-backports. · bf317f15
      bertagaz authored
      Install systemd v236, required to get the meek_lite PT to work, and have
      the unsafe browser and the Tor launcher applications do clearnet DNS
      resolution. This is required to get systemd's `BindReadOnlyPaths`
      directive introduced in commit 4fc2cd47.
      Refs: #8243, #8775
  23. 22 Feb, 2018 1 commit
  24. 14 Feb, 2018 1 commit
    • intrigeri's avatar
      Install Intel processor microcode firmware from stretch-backports (refs: #15173). · 20b79c23
      intrigeri authored
      The maintainer of intel-microcode in Debian carefully uploads to
      stretch-backports updates he thinks are safe for stable users. For example,
      right now stretch-backports has 3.20171117.1~bpo9+1 which is the latest
      available version that's not affected by the many regressions introduced by
      This commit does *not* currently give us IBRS/IBPB/STIPB microcode support for
      Spectre variant 2 mitigation: the currently available firmware with that support
      is too buggy. Instead, it:
       - updates microcode firmware to the latest good enough version, which usually
         brings important bugfixes;
       - paves the way for us to get this mitigation whenever it is ready in a form
         that the maintainer of intel-microcode in Debian thinks can be safely pushed
         to Debian stable users.
  25. 07 Feb, 2018 1 commit
    • intrigeri's avatar
      Revert to xorg-xserver from Stretch (refs: #15232) · 2579876c
      intrigeri authored
      For #12219 we've tried upgrading to xorg-xserver 2:1.19.3-1 but that did not fix
      the bug. Since then we've stuck to that version, which has a greater version
      that the one in Stretch, but 1. does not get any security updates; 2. does not
      track new versions from testing/sid either.
      So let's get back to a saner situation and instead track the version in Stretch.
  26. 05 Feb, 2018 1 commit
  27. 30 Jan, 2018 1 commit
  28. 16 Jan, 2018 1 commit
  29. 11 Jan, 2018 1 commit
    • intrigeri's avatar
      Install amd64-microcode and intel-microcode from sid (refs: #15148). · 9e6aec2c
      intrigeri authored
      On the short term, this allows us to get the mitigation against
      Spectre (CVE-2017-5715).
      While this could be done via our freeze exception mechanism, instead I chose to
      bump APT snapshots and add APT pinning to install these packages from sid for
      the foreseeable future: keeping CPU microcode up-to-date has become an important
      factor in securing systems these days and such security updates land faster in
      sid than anywhere else in Debian.
  30. 06 Jan, 2018 2 commits
  31. 05 Jan, 2018 2 commits