Infra upgrades for copy.fail CVE - issue on buildbot master

[Baptiste Jonglez]

On 05-05-26, Hauke Mehrtens wrote:
> On 5/5/26 00:05, Baptiste Jonglez wrote:
> > Hi,
> > 
> > The risk of copy.fail on our infra is not very high, but we should patch
> > anyway.  The biggest risks are buildbot workers (they run semi-unstrusted
> > code from the package feeds) and webservices (where any vulnerability
> > would be escalated to root).  I haven't seen any sign of compromise.
> > 
> > I've just upgraded most of our infra with newer kernels with the fix:
> > 
> > - buildbot master
> > - buildbot workers (except 2 still pending because I/O is a bit slow)
> > - wiki
> > - forum
> > - git
> > 
> > Still pending:
> > 
> > - remaining buildbot workers - in progress
> > - main download server - planned tomorrow
> > - other services (firmware selector, sysupgrade server)
> > - misc infra servers
> > 
> > Baptiste
> Hi,
> 
> I triggered the OpenWrt 25.12.3 builds. Please take care that they do not
> get disturbed. They should finish in about 12 hours.

Unfortunately, there is an issue with signing on the buildbot master due
to the reboot:

/scripts/signall.sh /master/signing/layerscape.armv7.tar.gz openwrt-25.12
** RUNNING ON BUILDMASTER **
 in dir /master
 argv: ['/scripts/signall.sh', '/master/signing/layerscape.armv7.tar.gz', 'openwrt-25.12']
 env: {'CONFIG_INI': '/config/config.ini'}
gpg: signing failed: Inappropriate ioctl for device
gpg: signing failed: Inappropriate ioctl for device
/scripts/signall.sh: line 144: signall.7699/usign.sec: No such file or directory
find: ‘signall.7699/tar/’: No such file or directory

This is because the Nitrokey needs to be unlocked [1,2], I forgot about that, sorry.

Petr is going unlock the card, and we'll see how to share the unlock PIN.

Baptiste

[1] https://openwrt.org/docs/guide-developer/releases/provision-nitrokey3
[2] https://git.openwrt.org/keyring/commit/?id=6b42a5c8b7dc049b899869b2a1b94daf69ceb2f5