XPost: linux.debian.kernel, linux.debian.maint.boot

Hi

I would like to upload next version of the 6.12.y stable series to
unstable, which will be 6.12.37-1, though depending on an ack/nack
from SRM and/or debian-boot.

The update contains in particular the mitigations for the Transitive
Scheduler Attacks (TSA) (CVE-2024-36350, CVE-2024-36357). To be
effective, they require both the support in kernel as a corresponding amd64-microcode update (thus Henrique to check if that would be
possible to upload to unstable and let migrate to trixie).

Apart from the stable import, there are pending two packaging changes.

* Revert "cgroup: Do not report unavailable v1 controllers in
/proc/cgroups" (Closes: #1108294)

The revert commit from Ben Hutchings explains the situation:
| For compatibility with older versions of OpenJDK, we need to keep
| listing the cpuset and memory controllers in /proc/cgroups even
| though they no longer support the cgroups v1 API. https://salsa.debian.org/kernel-team/linux/-/commit/4c797eb8f8e2c6074c707cd906a452a2167bc67f
(we asked upstream if that can be officially reverted, but we guess we
will need to ship this patch indepently for trixie's lifecycle).

* rtw89: Enable RTW89_8851BE, RTW89_8852BTE as modules (Closes: #1108965)

Adds support for instance for the Realtek 8851BE WiFi chip.

As full freeze is approaching I will defintively wait a bit on this
upload before hearing back.

Regards,
Salvatore

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmhwH8RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S5BhAAj/R1scUao6SYMCmZJipaONNDQC8Moo4NlUpg95phZbiLMbXWhyKfayPY CW8S9ouNaBjM7AXsv9CaAI3zIOCdsmxnikNA4mngs9DSU07PVEipS20Tik3KfrbR pl7N1SAfuxY4CEmTt8AMtV0M7kXAETo05zMusGZkZKXzE6Y89zTHbrdF3RcTBw7q 3eqI5whtKNUdS03MGmni4esL3r4VMfTamSlnXeGqdmlIJ0canHPOuMslU0TKuB4O bP6grwNXkOmBnpvmiCnLEx6msy4W4+7ZbBrd3Zl4xMzHorTRfYK3RFLiCqCEyAbE g1yS5LGqp2bh0G6VQWrFU1piZ0vp+Pc3jmusdpkwY3OXpIgmGPA+kYwrxWf44VXY Rth06NjoQqE+Y5PD5awXRvNrO0SDKKgwv/gUu+9LvNzVwzH5cSAbV/YhOeZGoEWf R4bML1ikzT51jQw9HlKeBcycYS2UFmG0aDKnxSYb81XxD7Py0gkTtKHEteym45xB G51XmEgCx7Zpkav16RgWSfWV4GKQ9faJcK1r5CCeWAEQL5MfTYtLmP+4dk5AkciJ DVarD3zoWcj8K74WerDKbmyOJ6Z5q/pGZaCUO9FL5vT0QDyFOiW2qAlsVupsTZy3 GHT5U3DRZ45p1UWrkt1zQUHc/ZMzLDCAfetQk+wQeiWIZzrYxso=
=A3TT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.kernel, linux.debian.maint.boot

Hi Salvatore,

Salvatore Bonaccorso <[email protected]> (2025-07-10):

I would like to upload next version of the 6.12.y stable series to
unstable, which will be 6.12.37-1, though depending on an ack/nack
from SRM and/or debian-boot.

As far as I'm concerned, feel free to go ahead.


Cheers,
--
Cyril Brulebois ([email protected]) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmhwLuAACgkQ/5FK8MKz VSBKhg//ZO6K4w0NDA26hwDF3PQJluup7cWURDJ66OdIBBashnG092rCAK+YP29h QgWW0Udk57C3Eut2Mf410k3XingGoNcPrVIzt8HPG5IFxVQSOTFdGC0OkzF8M2nr f6WB9qILP1JbJVfw1p75myxbTMan74MX0JFuxtAmHAZyMlWrmhFiVYgyqh2UGrC3 +uq3W4txToDMTsj26htv2C2M5u8Lw6ar+kR+TgmwJH3mlTvlLn4g/JkmHOlF8BJu QYX77Rtqg7b32LPAdvCtd6Cj1rzcPtHLO4eakBcPIaYdbD2FnlcFkh2RwjubJgMy ZAIu3QmmRRW78Dtag9Ffv5K+ckm34+EkT5UBDiyv7FePMh4oNAatZ2Nu2HkNs1pT QJt0evqY8WzaboO/J7D5PdhYUPeRqhC/oZeMLZCOd7WBeaQMV2+FZiG/6EUOyexa HzFd0iwv9Pkegks47G0qrIliegJ4M5MTaFJNuoUMscHIHCGDTxERJiAWTNELyHtL FfZM2Emo7BwZwoXGL0J0ZaRK6y+jmEqkxy4xy3i3+ECMNe+zinChwGYw/lITvAjy uhQCldJOhhfH6i51uXa5xQDciuEUQNPhUNJtEwfC1y3tXUeiDzu0DvUtLayXYH6A NOVQ/qSShuTLCfOs1P2pZ+0V+7b5g631AhM2QwJTNt0zJ7UpNq0=
=JDp4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.kernel, linux.debian.maint.boot

Hi kernel and ftp teams,

Salvatore Bonaccorso <[email protected]> (2025-07-10):

I would like to upload next version of the 6.12.y stable series to
unstable, which will be 6.12.37-1, though depending on an ack/nack
from SRM and/or debian-boot.

That was ACK'd and uploaded, but we're still lacking linux-signed-arm64:
it's in NEW, and it'd be great to have it accepted.

The update contains in particular the mitigations for the Transitive Scheduler Attacks (TSA) (CVE-2024-36350, CVE-2024-36357). To be
effective, they require both the support in kernel as a corresponding amd64-microcode update (thus Henrique to check if that would be
possible to upload to unstable and let migrate to trixie).

I haven't seen any update on the amd64-microcode side, but I hope it's
not going to block src:linux* migration to testing, and to “only” make
the kernel-side fixes insufficient on their own?

Apart from the stable import, there are pending two packaging changes.

* Revert "cgroup: Do not report unavailable v1 controllers in
/proc/cgroups" (Closes: #1108294)

The revert commit from Ben Hutchings explains the situation:
| For compatibility with older versions of OpenJDK, we need to keep
| listing the cpuset and memory controllers in /proc/cgroups even
| though they no longer support the cgroups v1 API. https://salsa.debian.org/kernel-team/linux/-/commit/4c797eb8f8e2c6074c707cd906a452a2167bc67f
(we asked upstream if that can be officially reverted, but we guess we
will need to ship this patch indepently for trixie's lifecycle).

* rtw89: Enable RTW89_8851BE, RTW89_8852BTE as modules (Closes: #1108965)

Adds support for instance for the Realtek 8851BE WiFi chip.

As full freeze is approaching I will defintively wait a bit on this
upload before hearing back.

Given https://lists.debian.org/debian-release/2025/07/msg00500.html
I think we might stay with 6.12.37-1 for 13.0, at least in theory?

I'm happy to still consider newer linux versions if you decide we need
to ship this or that bugfix ASAP, so feel free to sync with me regarding feasibility!


Cheers,
--
Cyril Brulebois ([email protected]) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmh1MdUACgkQ/5FK8MKz VSBSDBAAkeiekpU4s4gkbb2CUIXdpgVvzY7dA5/VhRIv1xXuvNA6xaDkhHSzawQI 6dzRUYi8KVY8ShGKrGzCyRx2elCZVP1SQjV9MEgMdeGhOCzJC3h4JXoKTrZdirCU 4uUMnZEEhT4ZanRy0Dc9UaibhsGtfs77pU0GunsG/o44J17As6LSaa5OaEnVHwWf lSNxIvMcSAqFvmVPV0fKxtK3t9N0zw834TYGi6/YbWNqt5KZ2NJBh+w5ncA/738X hYyhUQV/GxTeMX8THln1E+Vt2n0lLKvs52EYw2F8rpxFWUek2O5Sk1QxoJ73axe8 ZFZgiO7DkB8GBbs/vDK1QlRaM9OeMko5uvlM5Nu5TluAKz38K92xMDPkAYg9dJCY fR8JnwL21op6i2zYOiDYfgTrjAoOT59dC+CR/6zYj15iN1ws+VbZO1siAtfeFQqB gVz6ANXceGQgfOKQot/qouLBbIITvwKxZXVm2WchvxkCXTtCQuwBbp1r5m7Kk/FI XdOI8g5bgVrDTMakM/QLfU7mEltNJ67ydA/SI28fj1K50UDECL+r1L5sZPtVysL3 FvSZaUEb4424lJjrzAXHXPMFeh2v2kFIahqIxnBoy3mWcivls118TCCD9IOAvUhn S4lW4Kf4QcWk5Lt0752gvtt4fTGReVezkb0k5AYmTKNkAeCmE2o=
=v/Ev
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.kernel, linux.debian.maint.boot

Hi Cyril

[sorryf or the late reply was not able to do it yesterday]

On Mon, Jul 14, 2025 at 06:35:36PM +0200, Cyril Brulebois wrote:

Hi kernel and ftp teams,

Salvatore Bonaccorso <[email protected]> (2025-07-10):

I would like to upload next version of the 6.12.y stable series to unstable, which will be 6.12.37-1, though depending on an ack/nack
from SRM and/or debian-boot.

That was ACK'd and uploaded, but we're still lacking linux-signed-arm64:
it's in NEW, and it'd be great to have it accepted.

Ack, given that see below.

The update contains in particular the mitigations for the Transitive Scheduler Attacks (TSA) (CVE-2024-36350, CVE-2024-36357). To be
effective, they require both the support in kernel as a corresponding amd64-microcode update (thus Henrique to check if that would be
possible to upload to unstable and let migrate to trixie).

I haven't seen any update on the amd64-microcode side, but I hope it's
not going to block src:linux* migration to testing, and to “only” make the kernel-side fixes insufficient on their own?

NO there was none, and we need both sides to get the mitigation. I was
pinging Henrique to see on the state, cf.
https://bugs.debian.org/1109035 but so far have not heard back from
him, will try aain.

Apart from the stable import, there are pending two packaging changes.

* Revert "cgroup: Do not report unavailable v1 controllers in
/proc/cgroups" (Closes: #1108294)

The revert commit from Ben Hutchings explains the situation:
| For compatibility with older versions of OpenJDK, we need to keep
| listing the cpuset and memory controllers in /proc/cgroups even
| though they no longer support the cgroups v1 API. https://salsa.debian.org/kernel-team/linux/-/commit/4c797eb8f8e2c6074c707cd906a452a2167bc67f
(we asked upstream if that can be officially reverted, but we guess we
will need to ship this patch indepently for trixie's lifecycle).

* rtw89: Enable RTW89_8851BE, RTW89_8852BTE as modules (Closes: #1108965)

Adds support for instance for the Realtek 8851BE WiFi chip.

As full freeze is approaching I will defintively wait a bit on this
upload before hearing back.

Given https://lists.debian.org/debian-release/2025/07/msg00500.html
I think we might stay with 6.12.37-1 for 13.0, at least in theory?

I'm happy to still consider newer linux versions if you decide we need
to ship this or that bugfix ASAP, so feel free to sync with me regarding feasibility!

Ack. But I think then at least 6.12.38-1 needs to follow now. The
reason is the following, 6.12.38 was a single commit upload fixing a
problem with the TSA itigations. I was not hurring it just after the
import given we had not yet the microcode part, but if we are
approaching tirxie hard freeze and release then it is sensible to
upload that *now*.

For reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.12.38&id=faac2abe895d200615a91acb63a709feb3dac1c2
(there is a similar problem with 6.1.y but that did not yet hit
bookworm, given I did hold back uploads there to have first some upper
level exposure and waiting for resolving the microcode situation).

If I have not heard an explicit ACK/NACK and given we still miss the
signed packages for arm64 yet, then I will upload tonight latest the
6.12.38-1 version to unstable.

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.kernel, linux.debian.maint.boot

Hi,

Salvatore Bonaccorso <[email protected]> (2025-07-16):

Ack. But I think then at least 6.12.38-1 needs to follow now. The
reason is the following, 6.12.38 was a single commit upload fixing a
problem with the TSA itigations. I was not hurring it just after the
import given we had not yet the microcode part, but if we are
approaching tirxie hard freeze and release then it is sensible to
upload that *now*.

Let's go, then!


Cheers,
--
Cyril Brulebois ([email protected]) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmh3QsoACgkQ/5FK8MKz VSAHvQ//W6KO7A1hriXKatkl0zza3M/nCzy/oto69sSJdjiPUlXDrF9BSh6Q5uvH u3fkdmw+4P0wukBoIR+AAQotnVHzt0NI4qXzeTw3rcOXeAUWtmVEACKs6/q153Qd 4Er063XGvBLUdZiYUqAIzd47Wyr9XoC2l+3CfiqBzzIhTc58eY4J/iSNSnUIJCeb Mdt794kOuFg/eLN4pbWxJNLB0IOpo4tVXouhlclsJP24qJ+Du2kk/nT6l9kSMagn HzcKNvXQYdtnQKKfe1qtKhyIzwFxFOwJh56dfN5kJ/WBoQJtvss7zK5j3CsT05Ls AnOlJ34G8fApHBQU8484oH4ckeqMpjh+zgGnGE83rS2XByycFF+ib2q5Hk2c56yZ 4yBfr56NxQQrK5qZmNA7MbxCMO+hrhdHegjw2+yCkq/jHOgdlQCKwLgdBL9QxPOs 8vS98OhlKFm5btf/6YU2IAgSpjpFc0+yiZ5281Ng8XVMAYnV7g+pdDQpSWm5IEYQ kssSgkpC8+n3g9r9cS0rgl7ePZfAy4NAqXtv8gYghN/h0GqLGb3N8leUZZaN5tAo BVtaPwVDRKtc/lW126/trP2R8hcupssOryLaYMTUpudzPQ+effL2Cnm2n5VookAW xMnN8+2fDINBOsrXpXfda8izPgEOc1Fi5ZV0eMmIserfQmx0R1o=
=1f3t
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
*

XPost: linux.debian.kernel, linux.debian.maint.boot

Hi Cyril,

On Wed, Jul 16, 2025 at 08:12:28AM +0200, Cyril Brulebois wrote:

Hi,

Salvatore Bonaccorso <[email protected]> (2025-07-16):

Ack. But I think then at least 6.12.38-1 needs to follow now. The
reason is the following, 6.12.38 was a single commit upload fixing a problem with the TSA itigations. I was not hurring it just after the
import given we had not yet the microcode part, but if we are
approaching tirxie hard freeze and release then it is sensible to
upload that *now*.

Let's go, then!

Thanks for the confirmation and sorry if that is causing you trouble.

I will keep you posted (esp. if we know more on amd64 microcode as
well).

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)