On Tue, 23 May 2023, Paul Gevers wrote:
> > Bug fixes and translations will not be available in bookworm (I am upstream
> > ufw
> > and I cut 0.36.2 specifically for bookworm users).
>
> Please elaborate. It's Full Freeze time. A new upstream needs a lot of
> defending to be considered a targeted fix at this stage of the release.
Sorry I didn't elaborate more initially. I too misread the timing and
thought that due to autopkgtests that the timing was still ok.
As mentioned, I am the upstream author for ufw as well as the Debian
maintainer for ufw and I had a choice to either cherrypick the changes
and apply as patches in a 0.36.1-5 release or to gather them all into a
0.36.2-1 release. I chose the later since I didn't expect there to be a
problem. Practically speaking though, it would've been essentially the
same.
Importantly, ufw had very good coverage via unit tests and functional
tests which are both part of the package build. There are additional
runtime functional tests that are part of autopkgtests that run on a
live system. It migrated to Ubuntu 23.10 and passed its build and
autopkgtests too.
ufw is also a leaf package and not installed by default or as part of
any tasks. Upgrades were manually tested from 0.36.1-4.1 to 0.36.2-1 on
bookworm.
I'll outline the changes below.
## Upstream ChangeLog:
* src/ufw-init-functions: set default policy after loading rules. Thanks to
Mauricio Faria de Oliveira. (LP: #1946804)
This was already in 0.36.1-2 and I simply pulled it upstream. It was
debian/patches/0004-set-default-policy-after-load.patch
* doc/ufw.8:
- document 'insert' and 'prepend' can't be used to update comments
(LP: #1927737)
This is new to 0.36.2, but only a documentation change to make existing
functionality clearer. I feel this is a useful usability improvement for
bookworm users.
* src/backend_iptables.py: remove unreachable code (LP: #1927734)
This is new to 0.36.2 but a very minor change:
https://git.launchpad.net/ufw/commit/?h=release/0.36&id=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10
This is safe to remove due to this line a few lines before it:
https://git.launchpad.net/ufw/tree/src/backend_iptables.py?h=release/0.36&id=dc350c53c9bc8bad8d9cbd810adf53111bcd5c10#n997
(ie, line 997 is already doing an 'position > len(rules)' check so it is
safe to remove the unreachable code in the aforementioned commit). This
change could've been omitted for bookworm, but is also harmless.
* src/util.py:
- properly parse /proc/pid/stat for WSL (LP: #2015645)
This is one of the main reasons why I wanted an update for bookworm
since I wanted bookworm users on WSL to have a functional ufw. The
change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36&id=55669b732255c224343605272b793ae3fd534557
Unit tests existed for prior behavior and new tests were added for the
bug fix. I feel this is an important bug fix for for bookworm users
since without it, ufw fails to run on WSL.
* src/util.py:
- mitigate odd length string with unhexlify (Closes: 1034568)
This mitigates a traceback in the case of if a rules file is somehow
corrupted. The change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36&id=751e3aa510a992140f748987221600ee4722ea75
Unit tests existed for prior behavior and new tests were added for the
bug fix. I feel this is a useful usability improvement for bookworm
users.
* src/util.py:
- support vrrp protocol (LP: #1996636)
This is a technically a new feature, but all it did was add a new
protocol to an existing list and so the change is considered safe. Most
of the changes are for the man page and unit tests. The change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36&id=49b50d9ebd4a381af9886fc1bff17191358188fc
Unit tests existed for prior behavior and new tests were added for the
bug fix. I debated this change as it could've been omitted for bookworm,
but the change was obvious and small and added functionality that might
be useful to keepalived users on bookworm.
* add locales/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1034119)
This adds the .ro translation that was submitted via the BTS. I verified
the translations via Google Translate and also ran 0.36.2-1 through
https://git.launchpad.net/qa-regression-testing/tree/scripts/test-ufw.py#n474
which specifically tests that ufw runs under all the different locales.
This test script is part of Ubuntu (of which I am also an Ubuntu
developer) and doesn't work without modification on bookworm, but I did
so and the locale works fine. I felt it important to shepherd the
contribution to Debian into bookworm.
* add '-h' and show help with no args (LP: #1965462)
This change simply add '-h' to the already existing '--help' and 'help'
commands and adjusts the parsing to show raise a ValueError which
triggers showing the help message instead of just showing a
less-than-helpful "not enough args" message like 0.36.1 did. This change
is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36&id=bae7a5891946871ecf284f769e6acdd6e97ad55f
Unit tests existed for prior behavior and new tests were added for the
bug fix. I feel this is a useful usability improvement for bookworm
users.
* src/backend.py: add get_rules_ipv4() and get_rules_ipv6() (LP: #1951018)
This change is a small refactor and only adds new API calls for people
importing ufw python code into their project. This change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36&id=b13c4ffd001579c7e0166bb03d6299e5150fa9a6
Unit tests existed for prior behavior as a result there is full coverage
of these two APIs via existing tests for get_rules() (which was adjusted
to use the new get_rules_ipv4() and get_rules_ipv6() API calls. This
change could've been omitted from bookworm but the changes are obvious
and tested.
* tests/check-requirements: update for python 3.10+
This was already in 0.36.1-2 and I simply pulled it upstream. It was
essentially debian/patches/0003-python3-versions.patch.
check-requirements is only used during tests and as a debugging tool and
is safe for bookworm.
* tests/root: normalize 'ACCEPT {all,tcp}' and 'ACCEPT N' for newer systems
This was an update to functional tests that are run as part of
autopkgtests so that they may run on newer kernels/iptables-nft which
outputs slightly different output than older kernels. As the
autopkgtests for 0.36.2-1 passed everywhere, this is considered safe.
This change is here:
https://git.launchpad.net/ufw/commit/?h=release/0.36&id=7bcd3820d040cc66c8b1928d4b5c5d961652ba05
I wanted to make larger scale changes to the tests since these tests are
showing their age, but rather than doing that, I made the minimal
changes necessary to make them pass on bookworm.
## debian/changelog
* add new debian/po/ro.po. Thanks Remus-Gabriel Chelu (Closes: 1033758)
This adds .ro translations for debconf. I verified the changes in Google
Translate. I felt it important to shepherd the contribution to Debian
into bookworm.
* debian/control:
- Breaks with iptables-persistent and netfilter-persistent. When ufw is
installed, it is not enabled by default, so it doesn't interfere with
other firewall software (until it is enabled). In contrast,
iptables-persistent and netfilter-persistent install enabled, which
interferes with ufw. Add a breaks on these to avoid them being
co-installed with ufw (and causing problems for users).
ufw gets a slow trickle of bugs that confuse users because they install
iptables-persistent or netfilter-persistent at some point and this
software unconditionally saves all firewall rules on shutdown to be
added on boot, which cases race conditions with ufw since
iptables-persistent/netfilter-persistent saves ufw rules along with
other rules and ufw is expecting to be able to load its own rules. ufw
is designed to operate only on its chains, but if other software like
iptables-persistent/netfilter-persistent also tries to manage ufw's
chains, it causes ufw to fail. This is entirely expected for firewall
software in general and is not specific to ufw. Adding the Breaks simply
makes it more clear to people installing ufw or
iptables-persistent/netfilter-persistent that an action must be taken
for the firewall to be expected to work properly. As most of the bugs I
see that prompted this come from Debian, I added this for bookworm. I
could do a 0.36.2-2 upload to remove this if desired, but I feel it will
add clarity and avoid confusion for those users.
* debian/control:
- use Python-Version instead of XB-Python-Version
- remove Depends on obsolete lsb-base
* ufw.lintian-overrides:
- update for breaks-without-version iptables-persistent and
netfilter-persistent
- update for newer lintian
These changes were to address lintian issues.
Hopefully this answers your questions. Thanks for your consideration!
--
Email: ja...@strandboge.com
IRC: jdstrand
