Hi, Punit-san,

Thanks for initiating the discussion.

Regarding the EOL of "v4.19" x "Debian Buster", it should be "2029-01-11" if we follow the following rule.

earlier of (Kernel, Debian) release date + 10 yrs

- SLTS4.19 kernel release date: Jan 11, 2019
https://docs.google.com/presentation/d/1R2r7_hVijKN1VTuVc92IE4U94p9AUU90bMFUoGRroUI/edit?pli=1#slide=id.p7
- Debian Buster release date: July 6, 2019
https://www.debian.org/releases/buster/

Ideally, the dates for the Core components should be aligned with CIP maintained kernels but there doesn't seem to be any public documentation for the CIP kernel EOL dates. Let me know if this is written down somewhere.

The projected EOLs are stated in the above document.
Regarding the web site, I noticed that the following page is not updated.

https://wiki.linuxfoundation.org/civilinfrastructureplatform/cipkernelmaintenance

I will discuss this inside the kernel team.

Best regards,
--
M. Kudo

-----Original Message-----
From: cip-dev@... <cip-dev@...> On Behalf Of punit1.agrawal@...
Sent: Thursday, April 9, 2020 2:27 PM
To: cip-dev@...
Cc: Daniel Sangorrin <daniel.sangorrin@...>; Kazuhiro Hayashi <kazuhiro3.hayashi@...>
Subject: [cip-dev] CIP Core target EOL dates

Hi,

CIP is planning to support the Kernels + Debian Rootfs combinations marked with 'x' in the table below.

+----------+----------+-----------+-----------+
| | Debian 8 | Debian 9 | Debian 10 |
| | Jessie | Stretch | Buster |
| Kernel | | | |
+----------+----------+-----------+-----------+
| v4.4 | x | x | |
+----------+----------+-----------+-----------+
| v4.19 | | x | x |
+----------+----------+-----------+-----------+

So far, the details of when the support is expected to end haven't been explicitly called out for Core components. It would be good to rectify this in order to set expectations and gather feedback from the user community.

In addition, it will be helpful in estimating the required effort and planning to resource the projects appropriately.

To start the conversation, I would like to propose the following target EOL dates for each of the supported combination.

Note: All the dates are in YYYY-MM-DD format

+----------+--------------+--------------+--------------+
| | Debian 8 | Debian 9 | Debian 10 |
| | Jessie | Stretch | Buster |
| Kernel | | | |
+----------+--------------+--------------+--------------+
| v4.4 | 2025-04-26 | 2026-01-10 | |
+----------+--------------+--------------+--------------+
| v4.19 | | 2027-06-17 | 2019-10-18 |
+----------+--------------+--------------+--------------+

The proposed dates have been calculated as

earlier of (Kernel, Debian) release date + 10 yrs

The choice of duration (10 yrs) is arbitrary and should be adjusted based on requirement and available resources. Also, some of the combinations could be dropped if there are no users for them.

Ideally, the dates for the Core components should be aligned with CIP maintained kernels but there doesn't seem to be any public documentation for the CIP kernel EOL dates. Let me know if this is written down somewhere.

All feedback welcome.

Thanks,
Punit


The relevant Debian[0][1][2] and Kernel[3] release dates are copied below for reference.

Debian Release Dates
--------------------
Jessie - 2015-04-26
Stretch - 2017-06-17
Buster - 2019-07-06

Linux Kernel Release Dates
--------------------------
v4.4 - 2016-01-10
v4.19 - 2018-10-18


[0] https://www.debian.org/releases/jessie/
[1] https://www.debian.org/releases/stretch/
[2] https://www.debian.org/releases/buster/
[3] https://www.kernel.org/category/releases.html

Hi,

CIP is planning to support the Kernels + Debian Rootfs combinations
marked with 'x' in the table below.

+----------+----------+-----------+-----------+
| | Debian 8 | Debian 9 | Debian 10 |
| | Jessie | Stretch | Buster |
| Kernel | | | |
+----------+----------+-----------+-----------+
| v4.4 | x | x | |
+----------+----------+-----------+-----------+
| v4.19 | | x | x |
+----------+----------+-----------+-----------+

So far, the details of when the support is expected to end haven't been
explicitly called out for Core components. It would be good to rectify
this in order to set expectations and gather feedback from the user
community.

In addition, it will be helpful in estimating the required effort and
planning to resource the projects appropriately.

To start the conversation, I would like to propose the following target
EOL dates for each of the supported combination.

Note: All the dates are in YYYY-MM-DD format

+----------+--------------+--------------+--------------+
| | Debian 8 | Debian 9 | Debian 10 |
| | Jessie | Stretch | Buster |
| Kernel | | | |
+----------+--------------+--------------+--------------+
| v4.4 | 2025-04-26 | 2026-01-10 | |
+----------+--------------+--------------+--------------+
| v4.19 | | 2027-06-17 | 2019-10-18 |
+----------+--------------+--------------+--------------+

The proposed dates have been calculated as

earlier of (Kernel, Debian) release date + 10 yrs

The choice of duration (10 yrs) is arbitrary and should be adjusted
based on requirement and available resources. Also, some of the
combinations could be dropped if there are no users for them.

Ideally, the dates for the Core components should be aligned with CIP
maintained kernels but there doesn't seem to be any public documentation
for the CIP kernel EOL dates. Let me know if this is written down
somewhere.

All feedback welcome.

Thanks,
Punit


The relevant Debian[0][1][2] and Kernel[3] release dates are copied
below for reference.

Debian Release Dates
--------------------
Jessie - 2015-04-26
Stretch - 2017-06-17
Buster - 2019-07-06

Linux Kernel Release Dates
--------------------------
v4.4 - 2016-01-10
v4.19 - 2018-10-18


[0] https://www.debian.org/releases/jessie/
[1] https://www.debian.org/releases/stretch/
[2] https://www.debian.org/releases/buster/
[3] https://www.kernel.org/category/releases.html

Hi all,

Kindly be reminded to attend the weekly meeting through IRC to discuss technical topics with CIP kernel today.

*Please note that the IRC meeting was rescheduled to UTC (GMT) 09:00 starting from the first week of Apr. according to TSC meeting*
https://www.timeanddate.com/worldclock/meetingdetails.html?year=2020&month=4&day=9&hour=9&min=0&sec=0&p1=224&p2=179&p3=136&p4=37&p5=241&p6=248

USWest USEast UK DE TW JP
02:00 05:00 10:00 11:00 17:00 18:00

Channel:
* irc:chat.freenode.net:6667/cip

Last meeting minutes:
https://irclogs.baserock.org/meetings/cip/2020/04/cip.2020-04-02-09.00.log.html

Agenda:

* Action item
1. Combine root filesystem with kselftest binary - Iwamatsu-san
2. Strengthen sustainable process to backport patches from Mainline/LTS - Kernel Team
2-1. Workflow for identifying important fixes, backporting, and reviewing them
2-2. Prepare the tools to be used for this workflow
2-3. Get practice in backporting patches
3. Upload a guideline for reference hardware platform addition - masashi910
4. Identify target boards and configs for RT kernel testing (4.4rt and 4.19rt) - masashi910

* Kernel maintenance updates
* Kernel testing
* CIP Core
* Software update
* CIP Security
* AOB

The meeting will take 30 min, although it can be extended to an hour if it makes sense and those involved in the topics can stay. Otherwise, the topic will be taken offline or in the next meeting.

Best regards,
--
M. Kudo
Cybertrust Japan Co., Ltd.

Hi,

The security WG nominated duplicity as a solution for "Control system backup" (CR7.3).
One of the common requirements of such backup software is check-point restart capability.
Duplicity provides this like the following.
https://lists.nongnu.org/archive/html/duplicity-announce/2009-06/msg00000.html

IMHO, I think tar is not met IEC63443-4-2 requirement, because tar itself does not have this capability,

Best regards,
--
M. Kudo

On Tue, Apr 07, 2020 at 08:58:31AM +0200, Jan Kiszka wrote:

Konstantin, could you have a look or organize help? This is a blocker for
us, groups.io must not mess with messages.

But given that other projects are using this workflow as well, I strongly
suspect there is a way to fix it.

On each list's "Settings" page there is an option called:

Separate Message Footers
(Place message footers in a separate MIME part)

That's the one you want enabled.

-K

On 07.04.20 17:12, Konstantin Ryabitsev wrote:

On Tue, Apr 07, 2020 at 08:58:31AM +0200, Jan Kiszka wrote:

Konstantin, could you have a look or organize help? This is a blocker for
us, groups.io must not mess with messages.

But given that other projects are using this workflow as well, I strongly
suspect there is a way to fix it.

On each list's "Settings" page there is an option called:
Separate Message Footers
(Place message footers in a separate MIME part)
That's the one you want enabled.

Perfect! Neal, you are admin? Can you change that?

Thanks,
Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Hi!

They seem to add this kind of trailer to the messages, breaking GPG
signatures :-(.

(I won't quote full trailer as it seems to contain some secrets?)

I wonder if it's possible to turn these off by the admin.

Also, another thing to test is the impact of the footer on applying
patches sent via email (git am / git apply).

I suspect footer won't cause problems with patches; there are many
lists that add such footers, and patches normally survive that okay.

But our project is quite security-focused, so it would be good to
preserve GPG signatures...

Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Hi Neal,

On 07.04.20 03:44, punit1.agrawal@... wrote:

Pavel Machek <pavel@...> writes:

Hi!

The migration is complete.

You should receive an email shortly asking you to log in with your email
address and set a password.

One important note, please do NOT unsubscribe from the "main" list. This
would unsubscribe you from all of the CIP lists. "main" is an
administrative list used by Groups.io as a parent list to manage the other
lists. Please let me know if you have any questions or issues.

And we have first problem.

They seem to add this kind of trailer to the messages, breaking GPG
signatures :-(.

(I won't quote full trailer as it seems to contain some secrets?)

I wonder if it's possible to turn these off by the admin.
Also, another thing to test is the impact of the footer on applying
patches sent via email (git am / git apply).

Konstantin, could you have a look or organize help? This is a blocker for us, groups.io must not mess with messages.

But given that other projects are using this workflow as well, I strongly suspect there is a way to fix it.

Thanks,
Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Hi,

Pavel Machek <pavel@...> writes:

Hi!

The migration is complete.

You should receive an email shortly asking you to log in with your email
address and set a password.

One important note, please do NOT unsubscribe from the "main" list. This
would unsubscribe you from all of the CIP lists. "main" is an
administrative list used by Groups.io as a parent list to manage the other
lists. Please let me know if you have any questions or issues.

And we have first problem.

They seem to add this kind of trailer to the messages, breaking GPG
signatures :-(.

(I won't quote full trailer as it seems to contain some secrets?)

I wonder if it's possible to turn these off by the admin.

Also, another thing to test is the impact of the footer on applying
patches sent via email (git am / git apply).

Hi!

The migration is complete.

You should receive an email shortly asking you to log in with your email
address and set a password.

One important note, please do NOT unsubscribe from the "main" list. This
would unsubscribe you from all of the CIP lists. "main" is an
administrative list used by Groups.io as a parent list to manage the other
lists. Please let me know if you have any questions or issues.

And we have first problem.

They seem to add this kind of trailer to the messages, breaking GPG
signatures :-(.

(I won't quote full trailer as it seems to contain some secrets?)

Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

On Mon 2020-04-06 12:15:16, Jan Kiszka wrote:

On 03.04.20 23:47, Pavel Machek wrote:

Hi!

FYI, unfortunately we couldn't find the alternative package for system backup. The duplicity is the best package for us from the license and num of dependencies point of view.
See the following.

<duplicity>
Encryption: Yes
Schedule backup: No
Incremental backup: Yes
License: GPL v2
Dependencies count (aprox): 80
Reference: http://duplicity.nongnu.org/features.ht

I'm not sure what your exact requirements are, but have you considered
"tar"? It should be possible to pipe its output to aespipe (and
possibly other tools) to get encryption, and it should be able to do
incremental backups...

I suppose there is that concern about GPLv3 again (as with broadly used
rsync) - which is generally overrated. There exists legal views that already
GPLv2 requires to keep such licensed components replaceable on the target.
What then effectively remains with v3 is its, well, wording complexity.

Does "tar" match the requirements?

And I agree that best option would be to accept GPLv3.

If that's out of question, I'm pretty sure we can get GPLv2 tar
implementation somewhere. busybox has implementation, and I'm pretty
sure there's GPLv2 fork of busybox. Old version of tar should be
GPLv2. Still better than porting duplicity to different python
version...

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

On 03.04.20 23:47, Pavel Machek wrote:

Hi!

FYI, unfortunately we couldn't find the alternative package for system backup. The duplicity is the best package for us from the license and num of dependencies point of view.
See the following.

<duplicity>
Encryption: Yes
Schedule backup: No
Incremental backup: Yes
License: GPL v2
Dependencies count (aprox): 80
Reference: http://duplicity.nongnu.org/features.ht

I'm not sure what your exact requirements are, but have you considered
"tar"? It should be possible to pipe its output to aespipe (and
possibly other tools) to get encryption, and it should be able to do
incremental backups...

I suppose there is that concern about GPLv3 again (as with broadly used rsync) - which is generally overrated. There exists legal views that already GPLv2 requires to keep such licensed components replaceable on the target. What then effectively remains with v3 is its, well, wording complexity.

Jan

--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Hi Kent,

Kento Yoshida <kento.yoshida.wz@...> writes:

Thank you for your feedback, Iwamatsu-san.

-----Original Message-----
From: nobuhiro1.iwamatsu@... <nobuhiro1.iwamatsu@...>

[...]

As you may know, some of other packages we selected are dependent on python

3.x, so we may have the below options:

1. Maintain python 2.7 as well
2. Backport the upper duplicity which migrated python 3.x in bullseye
archive 3. Others

What do you think is best?
I hope we can decide the policy within the CIP core group because there shall be

similar problems for the others of python.

In my opinion, it is difficult to support Python2 for a super long term. And I think
it is difficult to support each library using Python2.
Therefore, I think Option2 is good. And if necessary, we can use
backposts.debian.org.

Actually, option-2 is dominant in the security team as well.

From a brief look at the pros / cons between the two choices (below), I
am also biased towards backporting a python3 based version of duplicity.

Suggested next steps further down -

* Python2

Pros
----
* No backport (to Buster) needed (least effort, right now)

Cons
----
* Has reached EOL in upstream. Not sure about ELTS support. It maybe
that if we go with Python2, we (CIP) is on our own.


* Python3

Pros
----
* Python3 is available in Debian Buster
* Likely to be supported for longer time - upstream and in Debian

Cons
----
* Needs backporting duplicity (and dependencies) to Buster via
backports to align with upstream first approach of CIP.
- From a quick check of dependencies in bullseye a backport of
librsync2 might also be needed.


Next steps
----------
* Investigate the effort to backport duplicity (and dependencies) to
buster-backports.
* If no major surprises are found during the investigation, work with
Debian upstream to upload the new version.

Hope that makes sense.

Thanks,
Punit

However, packages with large dependencies can be difficult to backports. For
example Kbuckup is difficult, I think.

Agree. We are not going to select the package which is GPL-3 or has a lot of dependent package, so the duplicity is only one candidate for us substantially.

Best regards,
Nobuhiro

From: cip-dev [mailto:cip-dev-bounces@...] On Behalf Of Kento
Yoshida
Sent: Thursday, April 2, 2020 6:59 PM
To: cip-dev@...
Cc: cip-security@...
Subject: [cip-dev] Python 3.x vs 2.7

Hi CIP core group,

The security package proposal is suspended now, but I'd like to discuss about the
python version which is suitable to maintain.

We selected "duplicity" for the requirement of system backup according to the
functionality, license, the number of dependencies and so on.
However, the duplicity in the Debian buster [1] dependent on python 2.7, which is
not maintained anymore [2].

[1] https://packages.debian.org/source/buster/duplicity
[2] https://pythonclock.org/

As you may know, some of other packages we selected are dependent on python
3.x, so we may have the below options:

1. Maintain python 2.7 as well
2. Backport the upper duplicity which migrated python 3.x in bullseye archive 3.
Others

What do you think is best?
I hope we can decide the policy within the CIP core group because there shall be
similar problems for the others of python.

FYI, unfortunately we couldn't find the alternative package for system backup. The
duplicity is the best package for us from the license and num of dependencies
point of view.
See the following.

<Rsync>
Encryption: No
Schedule backup: No
Incremental backup: Yes
License: GPL v3
Dependencies count (aprox): 24
Reference: https://rsync.samba.org/features.html

<duplicity>
Encryption: Yes
Schedule backup: No
Incremental backup: Yes
License: GPL v2
Dependencies count (aprox): 80
Reference: http://duplicity.nongnu.org/features.ht

<Backuppc>
Encryption: No
Schedule backup: Yes
Incremental backup: Yes
License: GPL-2+, X11
Dependencies count (aprox): 132
Reference: http://backuppc.sourceforge.net/info.html

<Amanda>
Encryption: Yes
Schedule backup: Yes
Incremental backup: Yes
License: GPL-2+
Dependencies count (aprox): 289
Reference: https://www.zmanda.com/amanda-community-edition.html

<Kbackup>
Encryption: Yes
Schedule backup: Yes
Incremental backup: Yes
License: GPL-2, LGPL-2.1, GFDL-1.2+, KDEeV Dependencies count (aprox): 414
Reference: https://kde.org/applications/utilities/org.kde.kbackup

Best regards,
Kent

_______________________________________________
cip-dev mailing list
cip-dev@...
https://lists.cip-project.org/mailman/listinfo/cip-dev

Hi!

FYI, unfortunately we couldn't find the alternative package for system backup. The duplicity is the best package for us from the license and num of dependencies point of view.
See the following.

<duplicity>
Encryption: Yes
Schedule backup: No
Incremental backup: Yes
License: GPL v2
Dependencies count (aprox): 80
Reference: http://duplicity.nongnu.org/features.ht

I'm not sure what your exact requirements are, but have you considered
"tar"? It should be possible to pipe its output to aespipe (and
possibly other tools) to get encryption, and it should be able to do
incremental backups...

Best regards,
Pavel

--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany