XZ fixup
After the xz-backdoor has been discovered, the Progress Linux repositories and infrastructure have been undergone a complete audit and no compromise (apart from the xz package itself) has been found, see xz-backdoor for more information.
We still have clean-room resetup the entire infrastructure, replaced all PGP and SSH keys, regenerated all Git repositories and rebuild all Debian packages. This is the only way to be completely sure about the integrity of the project.
The xz-backdoor is continued to be analyzed and we urge all users to resetup their systems from scratch, revoke all cryptographic keys (PGP, SSH, etc.), and change all passwords.
Users who do not wish to reinstall their systems, can upgrade to the new archive signed by new keys by following the instructions below.
1. Install new archive keys
Until the new Progress Linux keyrings have been included in Debian stable, oldstable and oldoldstable distributions, existing Progress Linux systems can be updated to the new archive signing keys by:
- either by using the progress-linux package to create the necessary repository configuration automatically
- or by doing everything manually
It does not matter which way you choose as the manual instructions below result in the exact same configuration.
1.1 Assisted upgrade
wget https://deb.debian.org/debian/pool/main/p/progress-linux/progress-linux-pgp-keys_20240420-4_all.deb
sudo dpkg -i progress-linux-pgp-keys_20240420-4_all.deb
wget https://deb.debian.org/debian/pool/main/p/progress-linux/progress-linux_20240420-4_all.deb
sudo dpkg -i progress-linux_20240420-4_all.deb
rm -f progress-linux-pgp-keys_20240420-4_all.deb progress-linux_20240420-4_all.deb
1.2 Manual upgrade
wget https://deb.debian.org/debian/pool/main/p/progress-linux/progress-linux-pgp-keys_20240420-4_all.deb sudo dpkg -i progress-linux-pgp-keys_20240420-4_all.deb wget https://deb.debian.org/debian/pool/main/p/progress-linux/progress-linux_20240420-4_all.deb sudo dpkg -i progress-linux_20240420-4_all.deb rm -f progress-linux-pgp-keys_20240420-4_all.deb progress-linux_20240420-4_all.deb
If you prefer not using the assisted upgrade, here's an example on how to manually update the archive signing keys on a Debian 12 (bookworm) system to the corresponding Progress Linux release.
# debian-keyring contains the public keys of all trusted Debian project members
wget https://deb.debian.org/debian/pool/main/d/debian-keyring/debian-keyring_2022.12.24_all.deb
sudo dpkg -i debian-keyring_2022.12.24_all.deb
rm -f debian-keyring_2022.12.24_all.deb
# downloading new key and signature
wget https://deb.progress-linux.org/packages/project/pgp/progress-linux-7-graograman-archive-key.pub -O - | sudo tee /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg
wget https://deb.progress-linux.org/packages/project/pgp/progress-linux-7-graograman-archive-key.pub.sig -O - | sudo tee /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg.sig
# verify new key is signed with one or more trusted keys from
# either Debian Developers keyring (debian-keyring.gpg)
# or Debian Maintainers keyring (debian-maintainers.gpg)
gpg --keyring /usr/share/keyrings/debian-keyring.gpg --keyring /usr/share/keyrings/debian-maintainers.gpg --verify /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg.sig
sudo rm -f /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg.sig
# create a temporary gnupg home directory
GNUPGHOME="$(mktemp -d)"
export GNUPGHOME
chmod 0700 "${GNUPGHOME}"
# convert key from ascii format to binary
# (apt requires keys specified via Signed-by in apt sources to be in binary format)
gpg --import /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg
gpg --export 0650B427DE77D598819129B47A8EB2C58FE6A7E6 | sudo tee /usr/share/progress-linux/pgp-keys/deb.progress-linux.org.gpg
# remove temporary gnupg home directory
rm -rf "${GNUPGHOME}"
unset GNUPGHOME
# remove, if any, old keys
sudo rm -f /usr/share/progress-linux/pgp-keys/apt.progress-linux.org.gpg
# use the new key in apt sources sudo sed -i -e 's|apt.progress-linux.org.gpg|deb.progress-linux.org.gpg|g' /etc/apt/sources.list.d/progress-linux.sources
2. Undo t64 migration
Only on Debian 12 (bookworm) based systems with backports aka Progress Linux 7.99 (graograman-backports) installed before 2024-04-20 need to undo first the partial t64 migration before installing any updates. Here's an example for the amd64 architecture:
if dpkg --get-selections | grep -qs ^libsmbclient0
then
sudo dpkg --force-all -P libsmbclient0
fi
if dpkg --get-selections | grep -qs ^libapt-pkg6.0t64
then
sudo dpkg --force-all -P libapt-pkg6.0t64
wget https://apt.progress-linux.org/archive/graograman-backports/apt/2.9.0-0.0~progress7.99u1_amd64/apt_2.9.0-0.0~progress7.99u1_amd64.deb
wget https://apt.progress-linux.org/archive/graograman-backports/apt/2.9.0-0.0~progress7.99u1_amd64/apt-utils_2.9.0-0.0~progress7.99u1_amd64.deb
wget https://apt.progress-linux.org/archive/graograman-backports/apt/2.9.0-0.0~progress7.99u1_amd64/libapt-pkg6.0_2.9.0-0.0~progress7.99u1_amd64.deb
sudo dpkg -i apt_2.9.0-0.0~progress7.99u1_amd64.deb apt-utils_2.9.0-0.0~progress7.99u1_amd64.deb libapt-pkg6.0_2.9.0-0.0~progress7.99u1_amd64.deb
rm -f apt_2.9.0-0.0~progress7.99u1_amd64.deb apt-utils_2.9.0-0.0~progress7.99u1_amd64.deb libapt-pkg6.0_2.9.0-0.0~progress7.99u1_amd64.deb
fi
for PACKAGE in $(dpkg --get-selections | awk '/t64/ { print $1 }' | awk -F: '{ print $1 }')
do
sudo dpkg --force-all -P ${PACKAGE}
done
sudo apt update
sudo apt install -f
3. Upgrade
sudo apt update
sudo apt upgrade
sudo apt full-upgrade
sudo apt autopurge
4. Reboot
sudo apt update sudo apt upgrade sudo apt full-upgrade sudo apt autopurge
If your system is not a container reboot it to finish the xz fixup.
sudo reboot