Release announcement: Trisquel 9.0.1 Etiona security update

43 respostas [Última entrada]
quidam

I am a member!

I am a translator!

Desconectado
Joined: 12/22/2004

Images are available at https://trisquel.info/download or directly at
https://cdimage.trisquel.info/ and its mirrors.

This minor update to the 9.x "Etiona" series is intended to provide an
up to date set of ISO images, both for use as an installation medium and
as a live environment with newer packages. This addresses two main
security concerns in the 9.0 original ISO images:

* An outdated Certificate Authority collection (package
ca-certificates) included an expired root certificate for LetsEncrypt,
resulting in blocked access to repositories for new packages or updates.
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

* Overlooked binary blobs were found in versions of Linux-Libre prior
to v5.14. Updated packages were added to the Trisquel repositores to
correct the issue, and new ISO images were produced to include the fix.
http://www.fsfla.org/pipermail/linux-libre/2021-August/003439.html

Along with those fixes, the release includes any other security update
published upstream since we published Etiona, and the latest version of
the Mozilla-based "Abrowser" (v93).

These updates will contribute to keep the v9.0 branch in good working
order as it will continue to be actively maintained until April 2023.

In other news, the development of Trisquel 10 is ongoing at great pace,
with initial ISO images being now available for testing at
https://cdbuilds.trisquel.org/nabia/ Please note that these images are
not yet intended for production usage, so use them only for testing and
development or (as it is true in any case) at your own risk.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Thank you for the good news and, one more time, for your great work!

andyprough
Desconectado
Joined: 02/12/2015

nabia is quite pleasant to work with so far. I haven't found any problems with it. Nice work @quidam and devs.

loldier
Desconectado
Joined: 02/17/2016

A few minor issues:

https://trisquel.info/en/forum/samsung-scx-4200-scanner

https://trisquel.info/en/forum/trisquel-10-keyboard-indicator-missing

https://trisquel.info/en/forum/forward-triskel-100-beta-capable-install-and-boot#comment-161214

##EDIT##

Moreover, I have a hard time getting the ISO at one go. There seems to be a bandwidth problem on the server. The download is interrupted, usually every 1.01 GB, and then resumed.

wget_209.51.188.51.png
Gnu
Gnu
Desconectado
Joined: 03/08/2012

To verify the iso:

gpg -o trisquel-netinst_9.0.1_amd64.iso -d trisquel-netinst_9.0.1_amd64.iso.asc

Dave_Hunt

I am a member!

Desconectado
Joined: 09/19/2011

I, too, note the possible bandwidth problem on the server. I finally got a good download on the 4th try. Also, the torrent seemed not to work. I have Nabia on one machine. On another, I tried to upgrade Etiona to Nabia. I'll just go ahead and install from the iso.

quidam

I am a member!

I am a translator!

Desconectado
Joined: 12/22/2004

Thanks for the reports, there are several problems and a 9.0.2 release is in the works.

Stallman rules
Desconectado
Joined: 08/10/2019

22-01-2022

Hallo Quidam 8O)

GREAT NEWS !!!

Do you known when... the 9.0.2 edition is to be realeased ?

ore is TrisQuel 10 comming before TrisQuel 9.0.2

we all.. need; free as in freedom... thats it.. and nothing more 8O)

and thank you for the enormous and hard work 8O)

best regards from Denmark 8O) 8O)

Ark74

I am a member!

I am a translator!

Desconectado
Joined: 07/15/2009

At today dev meeting, it was mentioned that in the following week(s), there will be the release of etiona 9.0.2
And a RC for nabia 10.0

That depends on the workload, hopefully it won't be long.
Cheers.

quidam

I am a member!

I am a translator!

Desconectado
Joined: 12/22/2004

Test message (working on mail servers)

Gnu
Gnu
Desconectado
Joined: 03/08/2012

gpg -o sha256sum.txt -d sha256sum.txt.asc

linuc
Desconectado
Joined: 10/17/2021

Unfortunately the server is so extremely slow that a download would take up to 80 hours. I'd rather wait a week before installing the new ISO ;-)

lanun
Desconectado
Joined: 04/01/2021

If this is an option for you, you might use the torrent file instead:

https://cdimage.trisquel.info/trisquel-images/trisquel-mini_9.0.1_amd64.iso.torrent

GNUbahn
Desconectado
Joined: 02/18/2016

Thanks for the continuous work on maintaining Trisquel.

Which would be the better/easier way to upgrade to version 9.0.1? Will one have to do a 'regular' installation via a usb pen or cd/dvd?

I tried to use the following commands without luck:

'do-release-upgrade'
$ sudo do-release-upgrade
Checking for a new Trisquel release
There is no development version of an LTS available.
To upgrade to the latest non-LTS develoment release
set Prompt=normal in /etc/update-manager/release-upgrades.

'do-release-upgrade -d' (https://trisquel.info/en/forum/distro-upgrade-documentation#comment-154808)
$ sudo do-release-upgrade -d
Checking for a new Trisquel release
There is no development version of an LTS available.
To upgrade to the latest non-LTS develoment release
set Prompt=normal in /etc/update-manager/release-upgrades.

'sudo sed -i s/flidas/etiona/ /etc/apt/sources.list && sudo apt update && sudo apt full-upgrade' (https://trisquel.info/en/forum/how-upgrade-trisquel-8-trisquel-9#comment-154948)
$ sudo sed -i s/flidas/etiona/ /etc/apt/sources.list && sudo apt update && sudo apt full-upgrade
[sudo] password for jcb:
Get:1 https://packages.riot.im/debian default InRelease [2.892 B]
Err:1 https://packages.riot.im/debian default InRelease
The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <name at domain>
Ign:2 https://archive.trisquel.info/trisquel etiona InRelease
Ign:3 https://archive.trisquel.info/trisquel etiona-security InRelease
Ign:4 https://archive.trisquel.info/trisquel etiona-updates InRelease
Err:5 https://archive.trisquel.info/trisquel etiona Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 209.51.188.51 443]
Err:6 https://archive.trisquel.info/trisquel etiona-security Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 209.51.188.51 443]
Err:7 https://archive.trisquel.info/trisquel etiona-updates Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 209.51.188.51 443]
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.riot.im/debian default InRelease: The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <name at domain>
E: The repository 'https://archive.trisquel.info/trisquel etiona Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://archive.trisquel.info/trisquel etiona-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://archive.trisquel.info/trisquel etiona-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

It appears that I have had the same issue before: https://trisquel.info/en/forum/do-release-upgrade-doesnt-work

But this time I do not have 'any software installed via other PPA's (e.g. micahflee's PPA) or downloaded from other sites (e.g. https://sogo.nu/download.html#/frontends)?'

My etc/apt/sources.list only contains entries of Etonia:
#deb cdrom:[Trisquel 9.0 _etiona_ - Release amd64 (20201018)]/ etiona main
# Trisquel repositories for supported software and updates
deb https://archive.trisquel.info/trisquel/ etiona main
deb-src https://archive.trisquel.info/trisquel/ etiona main
deb https://archive.trisquel.info/trisquel/ etiona-security main
deb-src https://archive.trisquel.info/trisquel/ etiona-security main
deb https://archive.trisquel.info/trisquel/ etiona-updates main
deb-src https://archive.trisquel.info/trisquel/ etiona-updates main
#deb https://archive.trisquel.info/trisquel/ etiona-backports main
#deb-src https://archive.trisquel.info/trisquel/ etiona-backports main

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

EDIT: I read too rapidly what your post and thought you wanted to upgrade to Trisquel 10 rather than 9.0.1. As lanun wrote, you need not do anything (and should therefore ignore what I wrote below) but regular updates to have Trisquel 9.0.1. Sorry!

'sudo sed -i s/flidas/etiona/ /etc/apt/sources.list && sudo apt update && sudo apt full-upgrade'

s/flidas/etiona/ substitutes "flidas" (Trisquel 8's code name) for "etiona" (Trisquel 9's code name). Because you currently use Trisquel 9 and Trisquel 10's code name is "nabia", here is the proper command line:
$ sudo sed -i s/etiona/nabia/ /etc/apt/sources.list && sudo apt update && sudo apt full-upgrade

Backup the user data before that: Trisquel 10 is not production-ready yet!

lanun
Desconectado
Joined: 04/01/2021

> Which would be the better/easier way to upgrade to version 9.0.1?

If you have installed Trisquel 9.0 Etiona, you should only need to keep it updated. Whatever Trisquel 9.0.1 Etiona ships with will also be udapted on a 9.0 install.

People who would wish install now had better use the new iso (Trisquel 9.0.1), in order to spare themselves a whole year of updates after install, including the critical ones mentioned in the OP.

GNUbahn
Desconectado
Joined: 02/18/2016

This is what I initially thought, but then I got this response:$ sudo apt update
[sudo] password for jcb:
Get:1 https://packages.riot.im/debian default InRelease [2.892 B]
Err:1 https://packages.riot.im/debian default InRelease
The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <name at domain>
Ign:2 https://archive.trisquel.info/trisquel etiona InRelease
Ign:3 https://archive.trisquel.info/trisquel etiona-security InRelease
Ign:4 https://archive.trisquel.info/trisquel etiona-updates InRelease
Err:5 https://archive.trisquel.info/trisquel etiona Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 209.51.188.51 443]
Err:6 https://archive.trisquel.info/trisquel etiona-security Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 209.51.188.51 443]
Err:7 https://archive.trisquel.info/trisquel etiona-updates Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 209.51.188.51 443]
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.riot.im/debian default InRelease: The following signatures were invalid: EXPKEYSIG C2850B265AC085BD riot.im packages <name at domain>
E: The repository 'https://archive.trisquel.info/trisquel etiona Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://archive.trisquel.info/trisquel etiona-security Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'https://archive.trisquel.info/trisquel etiona-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

... and since the update has to do with a certificate issue, I thought it might be necessary with a new installation.

Can you help me to identify the problem?

Ark74

I am a member!

I am a translator!

Desconectado
Joined: 07/15/2009
GNUbahn
Desconectado
Joined: 02/18/2016

Thanks. Problem solved.

SabirSaleem90
Desconectado
Joined: 10/03/2021

So the version of Triskel am I using can have binary blobs in Linux Libre 4.15 as I am using Triskel 9.0 Version...

Regards: Sabir Saleem

SabirSaleem90
Desconectado
Joined: 10/03/2021

also how can I update to triskel 9.0.1 from using currently triskel 9.0 without cd or usb any idea ?.

Thank you

zorzi
Desconectado
Joined: 12/28/2021

Just apply updates. This should be enough.

"sudo apt update
sudo apt upgrade"

SabirSaleem90
Desconectado
Joined: 10/03/2021

Yes I did this but after that when I checked current version of Triskel

it still shows 9.0 instead of updated version 9.0.1

see screenshot please.

Screenshot_20220122_155946.png
lanun
Desconectado
Joined: 04/01/2021

> it still shows 9.0

Because you still have 9.0. You have been updating 9.0 and making it closer to 9.0.1 with every update. You probably have been using the equivalent of a 9.0.1 system for a while already, and the last update you made was probably also an update for 9.0.1 systems.

Note the difference between "Triskel 9.0.1 Etiona security update" and "Triskel 10.0 Nabia", which is going to be a new version of Triskel, with a new package base, for which a full system upgrade will be necessary. After which, your system will say "10.0".

SabirSaleem90
Desconectado
Joined: 10/03/2021

Oh I understood now so when I do upgrade and update commands so I see packages updates from trisquel repo and now says

0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Means system is fully updated and no need to install 9.0.1.

Thanks for your comments.!

Regards: Sabir Saleem

SabirSaleem90
Desconectado
Joined: 10/03/2021

My very concerned questions and the reason for installing new installation instead of updating current system is below can anyone please answer.

"Once the virus is active on the computer, it can copy itself to files, disks, and programs as they are used by the computer, whether automatically or by the computer user. The big difference between a computer virus and other programs is that the computer virus is specifically designed to make a copy of itself."

so if binary blobs were found in versions of Linux-Libre prior to 5.14.

So my question is that if that blobs contains any malicious and other codes obvious we do not know so could it copy in other programs and files even we update repo afterwards.

I think my question is very serious isn't it ?.

Because till yet we do not know that linux-libre is 100% blob free and peoples are still saying that it found some blobs and removed now in newer update so how I make sure these blobs never infected my other files and folders in system as this is also type of virus.

Any suggestions is welcome.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

As far as I understand https://www.fsfla.org/pipermail/linux-libre/2021-August/003439.html (definitely not as well as Legimet or jxself do!):

  • unless you own a ST VS6624 sensor, the related blob would never be executed (the related module would not even be loaded);
  • the other "overlooked binary blobs" deal with a CPU architecture (PowerPC) that Trisquel does not support: they never ended up in the kernels Trisquel was distributing.
Legimet
Desconectado
Joined: 12/10/2013

I don't think the VS6624 driver was included in Trisquel's binary packages either.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Do you know what "issue" was "corrected" in "updated packages" then? (https://trisquel.info/en/release-announcement-trisquel-901-etiona-security-update includes the terms I quote.) Only the source packages received actual corrections?

jxself
Desconectado
Joined: 09/13/2010

We can see the changes to the deblobbing here:
https://gitlab.trisquel.org/trisquel/package-helpers/-/commit/dd27d8b5f7a8cfd2a0278f32652a9b4c8fb15b99#0e59b2ada48de5b0e70aefef616d1a71d604c3b2

You can see that there are changes for PowerPC and ST VS6624 sensor support.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Thank you. However, my question was whether the modifications in the source packages have influenced the binary packages that Trisquel distributes. Since Trisquel has never shipped kernels for the PowerPC architecture and since Legimet does not "think the VS6624 driver was included in Trisquel's binary packages either", it looks like the binary packages have essentially not been modified, because the blobs have never been included. Am I right?

jxself
Desconectado
Joined: 09/13/2010

If CONFIG_VIDEO_VS6624 was not set then it would have amounted to a source code change. People may have seen kernel updates nevertheless though because my understanding is that new kernels were built and pushed out from the updated source anyway.

Legimet
Desconectado
Joined: 12/10/2013

Yes, this is my understanding. I would have to double check but I don't think CONFIG_VIDEO_VS6624 was set in Trisquel (or upstream in Ubuntu).

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Thank you for those answers. Those (such as SabirSaleem90) who have used Trisquel's binary kernels before Legimet's discovery of binary blobs should not be concerned then.

SabirSaleem90
Desconectado
Joined: 10/03/2021

yes but my question was if something not libre in kernal like these bugs comes by time to time so what if we using it and updates when new update come.

so the malicious scripts can be copied in our files and programs so should we again do fresh installation or upgrade will not impact security.

Thanks

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Proprietary software can be malware. Nevertheless, it needs to be executed to do its evil. In the present case, as far as I understand (but, now, I do not even understand what was to be corrected in the Trisquel's precompiled kernels, if anything), it was never executed.

SabirSaleem90
Desconectado
Joined: 10/03/2021

Yes this platform is really very nice but due to outdated packages and also I see kernal version is also not upgraded currently 4.15.

I am switching to parabola os due to updated packages and other reasons.

but appreciate efforts of Trisquel Team.

and awaiting for Trisquel 10 Stable Release.

Thank you

Regards: Sabir Saleem

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

If you always want all the latest features free software programs propose (at the risk of having upgrades disturbing your current work), then go for Parabola. Nevertheless, security reasons seem to solely motivate your migration. Although stable, Trisquel is essentially as secure as Parabola: security fixes are backported (usually upstream, by Debian or Ubuntu) to the versions of the programs in every currently-supported version of Trisquel. Those are most of the updates you are frequently invited to install when you run a given version of Trisquel.

SabirSaleem90
Desconectado
Joined: 10/03/2021

So what if I understand.

1) IF VS6624 driver was no included in Trisquel's binary packages & Trusquel not supporting PowerPC ST VS6624 sensor support.

So what changes are in Trisquel iso right now which are expected in 9.0.1.

Just clarifying my questions.

Thank you

jxself
Desconectado
Joined: 09/13/2010

The same as before:
https://trisquel.info/en/release-announcement-trisquel-901-etiona-security-update

The rebuilt kernel and the updated ca-certificates package. The Sources DVD ISO will have updated source code too.

Martins
Desconectado
Joined: 04/24/2013

Good day!

I have T9 on two systems. sudo apt-get update works for the T8 which was upgraded to T9 having:
rc linux-image-unsigned-4.4.0-194-generic 4.4.0-194.226+8.0trisquel3

and does not for an ISO installation of T9.0having:
ii linux-image-4.15.0-121-generic 4.15.0-121+9.0trisquel6

Behavior is most certainly blob-like here. viewnior flipped my image and asked me to resave it. Date-time fell behind an entire day. Before I repeated the ISO T9.0 installation while connected - despite all of that: no dice. I conclude that the T9.0 ISO is dangerous and needs to be replaced with T9.1 ISO

Thanks for exposing this! Regards.

Screenshot at 2022-02-04 23-50-51.png
Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

As you have already been explained, on a system installed from the 9.0 ISO, you can substitute every "https" for "http" in /etc/apt/sources.list, perform a regular update and upgrade, and make the reverse substitution. It is not "dangerous". You end up with exactly the same system as you would updating and upgrading a system installed from the 9.0.1 ISO.

Martins
Desconectado
Joined: 04/24/2013

Thank-you Magic Banana

I stand corrected.

Legimet
Desconectado
Joined: 12/10/2013

The Trisquel 9.0.2 iso was released, you should use that instead: https://cdimage.trisquel.info/trisquel-images/