Thursday, 2026-04-30

« Wednesday, 2026-04-29 Index Friday, 2026-05-01 »
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Read error: Connection reset by peer)03:51
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip03:52
*** monstr <monstr!~monstr@nat-108f.starnet.cz> has joined #cip05:52
*** monstr <monstr!~monstr@nat-108f.starnet.cz> has quit IRC (Ping timeout: 248 seconds)06:03
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Read error: Connection reset by peer)06:12
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip06:13
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Read error: Connection reset by peer)08:28
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip08:28
*** monstr <monstr!~monstr@nat-108f.starnet.cz> has joined #cip09:04
*** monstr <monstr!~monstr@nat-108f.starnet.cz> has quit IRC (Ping timeout: 248 seconds)09:31
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has quit IRC (Read error: Connection reset by peer)10:52
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has joined #cip11:04
*** ctani <ctani!~ctani@86.121.79.65> has joined #cip11:53
*** jki <jki!~jki@62.156.206.16> has joined #cip11:54
*** masami <masami!~masami@FL1-111-168-44-134.tky.mesh.ad.jp> has joined #cip11:58
jkihi all12:00
uli_hello12:00
pave1Hi!12:00
masamihi12:00
iwamatsuhello12:00
jki#startmeeting CIP IRC weekly meeting12:00
collab-meetbotMeeting started Thu Apr 30 12:00:48 2026 UTC and is due to finish in 60 minutes.  The chair is jki. Information about MeetBot at http://wiki.debian.org/MeetBot.12:00
collab-meetbotUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.12:00
collab-meetbotThe meeting name has been set to 'cip_irc_weekly_meeting'12:00
*** collab-meetbot changes topic to " (Meeting topic: CIP IRC weekly meeting)"12:00
jki#topic AI review12:00
*** collab-meetbot changes topic to "AI review (Meeting topic: CIP IRC weekly meeting)"12:00
jkiagain: none12:01
jki512:01
jki412:01
jki312:01
jki212:01
jki112:01
jki#topic Kernel maintenance updates12:01
*** collab-meetbot changes topic to "Kernel maintenance updates (Meeting topic: CIP IRC weekly meeting)"12:01
uli_i pushed 4.412:01
masamiThis week reported 163 new CVEs and 60 updated CVEs.12:01
iwamatsuI was unable to work on the review this week.12:02
pave1I did some reviews: 6.12.84, .83 and .8212:02
masamifyi: I have confirmed that the Copy Fail PoC works with versions 4.19.325-cip130-st14 and 5.10.252-cip71.12:03
masamiI haven't tested with 6.1 yet.12:03
pave1Local root. World is not ending, but this one has high publicity...12:04
jkiwhich PoC exactly?12:04
pave1...and a name :-)12:04
pave1CVE-2026-31431.12:04
masamihttps://copy.fail/#exploit this one.12:04
jkiyes, it's more on the visibility side12:04
jkiolder systems used to have less local exploit vectors then todays systems have12:05
jkiso, were is upstream with backporting?12:05
jkiI lost overview12:05
jkiand what are we doing right now?12:05
pave1I tried backporting, and it turned out not to be trivial.12:06
jkiand LTS has the fix in... ?12:06
pave1This may help:12:07
pave1https://lore.kernel.org/stable/2026043003-skier-sprint-7b88@gregkh/T/#t12:07
jkiso, down to 5.10 should come via LTS for us12:07
jkionly 4.19 then our business, right?12:07
pave1Yes.12:08
jkiBTW, Debian is waiting as well: https://security-tracker.debian.org/tracker/CVE-2026-3143112:08
arisutjust disable it12:08
jkido we have it enabled in our configs?12:08
arisuthttps://paste.gentoo.zip/tnMM73Xk12:08
pave1I believe so. At least that's what review scripts were telling me.12:09
jkican it be .config-wise disabled as well without breaking too much?12:09
arisutneed to disable authencesn12:10
iwamatsuAF_ALG?12:10
pave1CONFIG_CRYPTO_AUTHENC. I have not known about it before the exploit :-)12:10
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Read error: Connection reset by peer)12:11
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip12:11
jkiuse cases?12:11
iwamatsuCONFIG_CRYPTO_AUTHENC is enabled on cip-kernel-configs12:11
jkiquite a few "select" in the kernel...12:11
pave1Kconfig help says: Authenc: Combined mode wrapper for IPsec. This is required for IPSec ESP (XFRM_ESP).12:11
jkiIPsec - was already suspecting this12:12
jkiI bet we have users who would shout out, "I need it", even if not all12:13
jkiCONFIG_MAC802154 selects it as well12:13
pave1We still should teach our users not to enable things they don't need, but that's long term project.12:13
jkisure - they will learn eventually ;)12:14
pave1Or their customers will :-)12:14
arisutpatches are already in in the latest kernels https://kernel.org/12:14
pave1I don't believe it is worth press release "run and disable CRYPTO_AUTHENC because sky is falling"12:14
pave1...before by the time they disable the config, better solution will be already available.12:15
jkinope, but some posting on the mailing list would be good12:15
jkiwe could communicate the workaround(s) now and ask for demand of faster fixes12:15
jkiwhile waiting for 5.10 to settle and developing/testing 4.19 fix12:15
jkionce the fixes are in our tree, we can communicate again and only then decide whether to release earlier12:16
pave1So... 6.12.85 is out, mostly crypto changes. I believe that's related.12:16
jkiseveral releases are due mid of May12:16
jkianyway, I think communicating is key unless we already consider this super-critical12:17
jkiwhich does not seem to be the case12:17
pave15.10.254 is out, too.12:17
pave1Well, I did "Copy fail" -- Fun CVE -- CVE-2026-31431" post :-)12:17
jkiyes, but also share more more structured overview12:18
jkifor workarounds and for our patching status12:18
jki5.10.254 is fixed, newer ones then as well12:18
pave1I don't believe it is super-critical, but I believe simply doing the -cip releases is the easiest way to go forward.12:18
uli_ftr, 5.10.253 is large, so 4.19 is not going to be an early release this time12:19
uli_if it's supposed to be quick i'd have to leave 253 patches and do one based on 254 only instead12:19
jkiwe could pull the fix early into 4.19 and do the rest later12:19
pave1uli: That would be the way to do it. I don't believe .254 changes depend on anything in .253.12:20
iwamatsu+112:20
uli_i think so, too12:20
jkiif we do earlier releases for the other CIP kernels, 4.19 should be treated similar12:20
jkiunless there are technical complications12:20
jkiso, who will look into the 4.19 backport?12:21
pave1I believe we can do -cip releases fairly easily. -cip-rt may be more tricky.12:21
arisut6.12 backports: https://lore.kernel.org/stable/20260430060702.110091-1-ebiggers@kernel.org/12:21
arisut6.1 backports: https://lore.kernel.org/stable/20260430062731.140497-1-ebiggers@kernel.org/12:21
jki-rt could be handled like 4.19: no baseline updates12:21
uli_jki: i will, i guess. it's in the pipeline anyway12:21
jkiuli_; thanks!12:22
jkithen we agree to give this fix prio in our queues and try to update all CIP kernels?12:23
pave1jki: In emergency, that probably can be done, but ... just trying to do the regular way would be preffered option.12:23
uli_+112:23
pave1I think that's best. I can simply go 6.12-cip, 6.1-cip, 5.10-cip and then figure out what to do with -rt.12:23
iwamatsu+112:24
jkigreat12:24
jkihope this does not ruin anyone's long weekend12:25
jki(where there is one)12:25
pave1Should I write some kind of "Copy fail is bad, disable CONFIG_foo especially on -rt, expect out of schedule kernels"?12:25
pave1email?12:25
jki+1 - thanks!12:26
jkimore on this? or other maintenance topics?12:26
jki512:27
jki412:27
jki312:27
jki212:27
jki112:27
jki#topic Kernel release status12:27
*** collab-meetbot changes topic to "Kernel release status (Meeting topic: CIP IRC weekly meeting)"12:27
jkiall green12:27
jkirest we just discussed12:27
jki512:27
jki412:27
jki312:27
jki212:27
jki112:27
jki#topic Kernel testing12:28
*** collab-meetbot changes topic to "Kernel testing (Meeting topic: CIP IRC weekly meeting)"12:28
arisutnothing from me12:28
pave17.0.3 is out; if we are testing it somewhere, tell me url :-)12:29
jkianything else on testing?12:30
arisutpave1, I'm currently fixing gentoo sources vulnerabilities12:30
arisutfor 7.0,3 testing I think you could look KernelCI as usual12:31
pave1ok, I'll ask again next week :-)12:31
pave1I'd like https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-7.0.y12:31
iwamatsuWe don't have it, so we need to create it...12:33
jkiso, $someone will do it once there is time ;)12:36
jkianything else?12:36
arisutmost of the recent kernel added commit a664bf3d603d12:36
arisutt reverts the 2017 algif_aead in-place optimization, so page-cache pages can no longer end up in the writable destination scatterlist. Most major distributions are shipping the fix now.12:37
jkiyes, this is what we discussed before, I think12:37
pave1Yep. That's the "copy fail" fix. Optimalization was bogus, anyway, so I don't expect performance regressions.12:37
arisutlooks now added on all new kernels12:38
jkidown to 5.10, see above12:38
arisutyes12:38
jkiso, anything else on /testing/? ;)12:39
arisutyou can use the patch I linked for above for disabling authencesn.o on older kernels12:39
jkiwhy? we have the reverts12:40
pave1Lets discuss that at aob session or after the meeting.12:40
jkithen let's move to aob - unless there is more on testing...12:40
jki512:40
jki412:40
jki312:40
jki212:40
jki112:40
jki#topic AOB12:40
*** collab-meetbot changes topic to "AOB (Meeting topic: CIP IRC weekly meeting)"12:40
jkithanks for the first config extension feedback!12:41
pave1arisut: Yes, that can be done, but that's quite a hack, and proper solution is as easy.12:41
arisutpave1, ok12:41
pave1jki: Sorry for taking time. That pc104 stuff scares me a bit (I thought it must have been a mistake) -- that's old hardware, but we should be able to do it.12:42
arisutcan you add also me in copy on the email/patch with the solution12:42
jkipavel: if you see any noteworthy effort increase as well, let me know12:43
jkithere are more questions/wishes coming, I'm moderating them first12:43
pave1arisut: We'll just update to latest stable kernels. There were released in last few hours, and they fix just this.12:43
pave1jki: ok, but I don't expect much effort increase. It was just strange.12:44
arisutpave1, what about older cip kernels ?12:44
pave1arisut: Down to 5.10, we have -stable fixes. For 4.19, we backport fixes from stable. 4.4 is not affected.12:44
arisutyes, I was meaning the 4.19 backport12:45
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Read error: Connection reset by peer)12:46
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip12:46
jkiother topics?12:48
pave1uli will be doing that. We hope 5.10 patches will simply apply. If not, we try to fit them12:48
pave1as usual, if that's impossible, we can probably just disable that, too.12:48
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has quit IRC (Ping timeout: 246 seconds)12:49
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has joined #cip12:50
jkiso...12:50
arisutjki, not from me I'm going back to pushing gentoo sources12:50
jkithen let's close12:51
jki512:51
jki412:51
jki312:51
jki212:51
jki112:51
jki#endmeeting12:51
collab-meetbotMeeting ended Thu Apr 30 12:51:28 2026 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)12:51
collab-meetbotMinutes:        http://ircbot.wl.linuxfoundation.org/meetings/cip/2026/04/cip.2026-04-30-12.00.html12:51
collab-meetbotMinutes (text): http://ircbot.wl.linuxfoundation.org/meetings/cip/2026/04/cip.2026-04-30-12.00.txt12:51
collab-meetbotLog:            http://ircbot.wl.linuxfoundation.org/meetings/cip/2026/04/cip.2026-04-30-12.00.log.html12:51
*** collab-meetbot changes topic to "Civil Infrastructure Platform Project. CIP mailing list at https://lists.cip-project.org/g/cip-dev | CIP kernel meeting every Thursday at 13:00 UTC | Find the meeting logs at https://ircbot.wl.linuxfoundation.org/meetings/cip/ and chat logs at https://ircbot.wl.linuxfoundation.org/logs/%23cip/"12:51
jkithanks!12:51
pave1Thank you!12:51
uli_thanks12:51
masamithank you12:51
iwamatsuThank you12:51
*** masami <masami!~masami@FL1-111-168-44-134.tky.mesh.ad.jp> has quit IRC (Quit: Leaving)12:51
arisuttnx12:52
*** jki <jki!~jki@62.156.206.16> has quit IRC (Quit: Leaving)12:53
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has quit IRC (Ping timeout: 245 seconds)12:54
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has joined #cip12:57
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has quit IRC (Client Quit)12:58
*** prabhakalad <prabhakalad!~prabhakar@97e54365.skybroadband.com> has joined #cip12:58
*** ctani <ctani!~ctani@86.121.79.65> has quit IRC (Quit: Client closed)13:31
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Ping timeout: 265 seconds)14:16
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip14:36
*** arisut <arisut!~none@gentoo/developer/alicef> has quit IRC (Quit: install gentoo)15:01
*** arisut <arisut!~none@gentoo/developer/alicef> has joined #cip15:04
*** ChanServ sets mode: +o arisut15:04
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Read error: Connection reset by peer)16:28
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip16:31
*** monstr <monstr!~monstr@nat-108f.starnet.cz> has joined #cip16:57
*** monstr <monstr!~monstr@nat-108f.starnet.cz> has quit IRC (Ping timeout: 248 seconds)17:02
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has quit IRC (Ping timeout: 245 seconds)21:27
*** sskartheekadivi <sskartheekadivi!~sskarthee@user/sskartheekadivi> has joined #cip21:33
« Wednesday, 2026-04-29 Index Friday, 2026-05-01 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!