XZ fixup

After the xz-backdoor has been discovered, the Progress Linux repositories and infrastructure have been undergone a complete audit and no compromise (apart from the xz package itself) has been found, see xz-backdoor for more information.

We still have clean-room resetup the entire infrastructure, replaced all PGP and SSH keys, regenerated all Git repositories and rebuild all Debian packages. This is the only way to be completely sure about the integrity of the project.

The xz-backdoor is continued to be analyzed and we urge all users to resetup their systems from scratch, revoke all cryptographic keys (PGP, SSH, etc.), and change all passwords.

Users who do not wish to reinstall their systems, can upgrade to the new archive signed by new keys by following the instructions below.

1. Install new archive keys

Until the new Progress Linux keyrings have been included in Debian stable, oldstable and oldoldstable distributions, existing Progress Linux systems can be updated to the new archive signing keys by:

either by using the progress-linux package to create the necessary repository configuration automatically
or by doing everything manually

It does not matter which way you choose as the manual instructions below result in the exact same configuration.

1.1 Assisted upgrade


  wget https://deb.debian.org/debian/pool/main/p/progress-linux/progress-linux-pgp-keys_20240420-4_all.deb
  sudo dpkg -i progress-linux-pgp-keys_20240420-4_all.deb

  wget https://deb.debian.org/debian/pool/main/p/progress-linux/progress-linux-ssh-keys_20240420-4_all.deb
  sudo dpkg -i progress-linux-ssh-keys_20240420-4_all.deb

  wget https://deb.debian.org/debian/pool/main/p/progress-linux/progress-linux_20240420-4_all.deb
  sudo dpkg -i progress-linux_20240420-4_all.deb

  rm -f progress-linux-pgp-keys_20240420-4_all.deb progress-linux-ssh-keys_20240420-4_all.deb progress-linux_20240420-4_all.deb

1.2 Manual upgrade

If you prefer not using the assisted upgrade, here's an example on how to manually update the archive signing keys on a Debian 12 (bookworm) system to the corresponding Progress Linux release.


  # debian-keyring contains the public keys of all trusted Debian project members
  wget https://deb.debian.org/debian/pool/main/d/debian-keyring/debian-keyring_2022.12.24_all.deb
  sudo dpkg -i debian-keyring_2022.12.24_all.deb
  rm -f debian-keyring_2022.12.24_all.deb

  # downloading new key and signature
  wget https://deb.progress-linux.org/packages/project/pgp/progress-linux-7-graograman-archive-key.pub -O - | sudo tee /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg
  wget https://deb.progress-linux.org/packages/project/pgp/progress-linux-7-graograman-archive-key.pub.sig -O - | sudo tee /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg.sig

  # verify new key is signed with one or more trusted keys from
  # either Debian Developers keyring (debian-keyring.gpg)
  # or Debian Maintainers keyring (debian-maintainers.gpg)
  gpg --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-maintainers.gpg --verify /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg.sig
  sudo rm -f /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg.sig

  # create a temporary gnupg home directory
  GNUPGHOME="$(mktemp -d)"
  export GNUPGHOME
  chmod 0700 "${GNUPGHOME}"

  # convert key from ascii format to binary
  # (apt requires keys specified via Signed-by in apt sources to be in binary format)
  gpg --import /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg
  gpg --export 0650B427DE77D598819129B47A8EB2C58FE6A7E6 | sudo tee /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg

  # remove temporary gnupg home directory
  rm -rf "${GNUPGHOME}"
  unset GNUPGHOME

  # remove, if any, old keys
  sudo rm -f /usr/share/progress-linux/pgp-keys/apt.progress-linux.org.gpg


  # use the new key in apt sources
  sudo sed -i -e 's|apt.progress-linux.org.gpg|deb.progress-linux.org.gpg|g' /etc/apt/sources.list.d/progress-linux.sources

2. Undo t64 migration

Only on Debian 12 (bookworm) based systems with backports aka Progress Linux 7.99 (graograman-backports) installed before 2024-04-20 need to undo first the partial t64 migration before installing any updates. Here's an example for the amd64 architecture:


  if dpkg --get-selections | grep -qs ^libsmbclient0
  then
      sudo dpkg --force-all -P libsmbclient0
  fi

  if dpkg --get-selections | grep -qs ^libapt-pkg6.0t64
  then
      sudo dpkg --force-all -P libapt-pkg6.0t64
      wget https://apt.progress-linux.org/archive/graograman-backports/apt/2.9.0-0.0~progress7.99u1_amd64/apt_2.9.0-0.0~progress7.99u1_amd64.deb
      wget https://apt.progress-linux.org/archive/graograman-backports/apt/2.9.0-0.0~progress7.99u1_amd64/apt-utils_2.9.0-0.0~progress7.99u1_amd64.deb
      wget https://apt.progress-linux.org/archive/graograman-backports/apt/2.9.0-0.0~progress7.99u1_amd64/libapt-pkg6.0_2.9.0-0.0~progress7.99u1_amd64.deb
      sudo dpkg -i apt_2.9.0-0.0~progress7.99u1_amd64.deb apt-utils_2.9.0-0.0~progress7.99u1_amd64.deb libapt-pkg6.0_2.9.0-0.0~progress7.99u1_amd64.deb
      rm -f apt_2.9.0-0.0~progress7.99u1_amd64.deb apt-utils_2.9.0-0.0~progress7.99u1_amd64.deb libapt-pkg6.0_2.9.0-0.0~progress7.99u1_amd64.deb
  fi

  for PACKAGE in $(dpkg --get-selections | awk '/t64/ { print $1 }' | awk -F: '{ print $1 }')
  do
      sudo dpkg --force-all -P ${PACKAGE}
  done

  sudo apt update
  sudo apt install -f

3. Upgrade


  sudo apt update
  sudo apt upgrade
  sudo apt full-upgrade
  sudo apt autopurge

4. Reboot

If your system is not a container reboot it to finish the xz fixup.


  sudo reboot