On 07. 03. 23, 17:04, Jim Henderson wrote:
Yeah. My point is, though, that telling people running TW "read something that's not part of the actual update utility output", especially something that's on a mailing list, blog, buried in release notes (which we all know nobody really reads on a regular basis) is just bad form - just like the changes that broke (for some people) sudo a few months back.
OTOH, lockdown was present in the changelog and had a bug reference where all the risks were evaluated. Have you read the changelog at least? I believe close to noone reads that, nor any blogs, logs, or lists. Only when something breaks. That the bug was not and still is not public is a mistake. But not of mine, sorry.
If we make changes that have the potential to break someone's system, we should do them the courtesy of telling them with specificity (not just "TW updates might break your system" - that's 100% accurate and 0% useful) what changes are being made (or proposed to be made) and give an option to avoid the update.
Provided the bug is VUL0, it had to be quick. Not much space to prepare anyone. I believe people using TW are well aware of "zypper al" and the TW history repo. And they use btrfs by default, so can roll back too, right? And could boot with secure boot disabled. Many well known options to work around the issue, I think. Last but not least, I do not recommend anyone with out of tree modules to run TW. I mean those users not having good enough knowledge how to fix things. And you likely know, out of tree modules break really often. And the only place where the users are supposed to complain are the companies producing those, ehm, modules.
There will always be unintended consequences that get missed - but in a case like this (or the sudo change), that was a completely foreseeable issue.
Sorry, no crystal ball here. Provided, it all works in Leap, there were no doubts this will run on TW too. And see, the whole module signing machinery is broken heavily in TW and noone noticed until now. Without the trial, we wouldn't find out. Note that openQA passed too. We don't even test these modules there. So noone expected the lockdown patchset to fail. Maybe we can build some basic KMP (print hello world), try to load it and check the logs for hello world. I have no idea how hard that would be. KMPs should be tested. (But not the proprietary ones. Noone wants to be blocked by all those.) In any way, now, the whole lockdown patchset is flushed down the toilette. After these things get fixed, we might retry. This time, after KMP maintainers confirm their modules work. thanks, -- js suse labs