#1005129 bullseye-pu: package nvidia-graphics-drivers/470.103.01-1~deb11u1

#1005129#5
Date:
2022-02-07 17:13:08 UTC
From:
To:
Hi,

I'd like to update nvidia-graphics-drivers/non-free to a new upstream
release to fix CVE-2022-21813, CVE-2022-21814.
Since the 460 driver series seems to be EoL now, we need to switch to
the 470 series (supported until 07/2024), which supports a superset of
the GPUs supported by the 460 drivers. The first 470 release was only a
few days before the bullseye release and therefore too late to migrate
in time. (The 495 and later releases drop again support for some ancient
cards (and therefore I won't consider them for bullseye-pu), leaving
the legacy support in the 470 series).

It comes with a few packaging changes:

There is a new B-D: libnvidia-egl-wayland1 - we use the library built
from source instead of the one bundled with the blob.

There is a new binary package: libnvidia-nvvm4

This binary package was removed: libegl1-nvidia, leftover from the
non-glvnd packages and no longer usable. It was still installable, but
not along the other driver components. Consequently, some non-glvnd
alternatives have been dropped as well. (nvidia-driver-libs-nonglvnd
only existed up to the 418 series)

The tesla-440 driver is no longer in the archive (and was not in
bullseye), dropping it from alternatives.

There are some files with large pci id lists being added: two are used
by nvidia-detect for the 470 driver (debian/detect/*.ids), the other
are for maintainer convenience to document the EoL GPU models
(debian/end-of-life-*)

A new conffile (nvidia-options.conf) is being added to show in a working
way how to load the module with custom options set. (The existing one
from nvidia-kernel-support did not take into account our weird way of
module renaming for co-installability.)

Not to forget the usual patch and lintian refresh. Some ancient history
was added to the changelog to better document kernel support backporting
that happened for legacy drivers.

If you have more questions, please let me know.


This update will also require updates to
  nvidia-modprobe (versioned Depends)
  nvidia-setting (versioned Recommends)
  nvidia-xconfig (keep mayor version in sync)
  nvidia-persistenced (keep major version in sync)


Andreas

#1005129#18
Date:
2022-03-19 17:27:36 UTC
From:
To:
Control: tags -1 + confirmed

Please go ahead; thanks.

As with the other updates which will need to go through NEW, if this
one doesn't make it in time for 11.3, are there any other nvidia-*
updates that we'll need to hold as well?

Should this update wait for the nvidia-*-tesla-470 packages to be
available? I realise the drivers are only in Suggests, so I guess it
should be fine, but just wanted to confirm.

Regards,

Adam

#1005129#25
Date:
2022-03-19 21:46:57 UTC
From:
To:
other updates

We could do the update of nvidia-graphics-drivers/470.103.01 in two stages:
* deb11u1 with libnvidia-nvvm4 disabled (there are no rdepends),
avoiding NEW + all the other */470.* (but not *-tesla-470/*) updates
* deb11u2 with libnvidia-nvvm4 enabled, going through NEW, s.t. the
driver does not differ feature wise from 470 elsewhere

If libnvidia-nvvm4 doesn't make it through NEW in time, we only lose an
"optional" package but are still able to update the whole stack to 470.

The two *-tesla-470 source packages need to go in together, but the rest
of the stack does not have to wait for them. The only dependency is to
have nvidia-modprobe/470.* first ;-)
Once we have *-tesla-470, I'll come with an update for *-tesla-460 to
turn it into transitional packages switching to *-tesla-470 (first test
uploaded a few days ago to sid)

Andreas

#1005129#30
Date:
2022-03-19 23:45:37 UTC
From:
To:
That might be best if we want to get the rest of the stack into 11.3.

The window closes "tomorrow", which is mostly "when Adam has had
enough", but is usually by the start of the 19:52 dinstall at the
latest.

Regards,

Adam

#1005129#35
Date:
2022-03-21 09:34:23 UTC
From:
To:
FTR, the incremental debdiff from 470.103.01-1 to 470.103.01-3~deb11u1

it contains the same additional changes also added with the tesla-450
upload and some preparations for phasing out tesla-460 in favor of
tesla-470.
Having these changes without adding tesla-470 driver and turning
tesla-460 into transitional packages at the same time does no harm
(some Suggests will be gone and nvidia-detect will no longer report
tesla-460 as a candidate while it might mention "you could also install
the tesla-470 driver").

There is also temporarily turning off libnidia-nvvm4 to avoid NEW, which
will be turned on again in ~deb11u2 going through NEW.

Andreas

#1005129#40
Date:
2022-03-21 10:03:43 UTC
From:
To:
Not sure if relative date "tomorrow" meant Sunday or Monday. If it's too
late now, no problem, we can postpone the remaining updates for the next
point release (and have NEW processed by then, too).


Andreas

#1005129#45
Date:
2022-03-21 19:01:28 UTC
From:
To:
Apologies for the confusion - "tomorrow" was Sunday, so it is indeed
too late for 11.3 now.

We have nvidia-graphics-drivers-tesla-450 and nvidia-modprobe in p-u
ready to be part of the point release. My understanding from your
previous comments is that should work OK without the remaining updates,
but please yell if I've misunderstood.

Regards,

Adam

#1005129#50
Date:
2022-05-01 19:53:43 UTC
From:
To:
package release.debian.org
tags 1005129 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: nvidia-graphics-drivers
Version: 470.103.01-3~deb11u1

Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]

#1005129#55
Date:
2022-05-01 19:53:50 UTC
From:
To:
package release.debian.org
tags 1005129 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: nvidia-graphics-drivers
Version: 470.103.01-3~deb11u2

Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]

#1005129#60
Date:
2022-05-01 19:53:43 UTC
From:
To:
package release.debian.org
tags 1005129 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: nvidia-graphics-drivers
Version: 470.103.01-3~deb11u1

Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]

#1005129#63
Date:
2022-05-01 19:53:50 UTC
From:
To:
package release.debian.org
tags 1005129 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: nvidia-graphics-drivers
Version: 470.103.01-3~deb11u2

Explanation: new upstream release; switch to upstream 470 tree; fix denial of service issues [CVE-2022-21813 CVE-2022-21814]

#1005129#68
Date:
2022-07-09 10:47:43 UTC
From:
To:
(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam