ACK/Cmnt: [SRU][J/M][PATCH v2 0/1] UBUNTU: [Packaging] Check for relevant changes for security certifications

[Tim Gardner]

On 9/6/23 3:24 PM, Magali Lemes wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
> 
> [Impact]
> 
> When producing a new version of some kernels, we need to check for
> changes that might affect FIPS or other certs and justify why a commit
> was kept or removed.
> 
> To simplify this process we can add an automated check that will abort
> the kernel preparation and build when such changes exist without a
> justification.
> 
> [Test Plan]
> 
> Check if the kernel preparation fails (cranky close) when any of the files
> specified by `crypto_files` is changed.
> 
> [Where problems could occur]
> 
> No kernels should be affected unless we enable this check by setting
> `do_fips_checks` to true. In the generic Jammy kernel, `do_fips_checks` is
> already set to false in `debian/rules.d/0-common-vars.mk`. Even if the variable
> is set to true, that only affects the kernel preparation and not the
> resulting kernel.
> 
> [Other Info]
> 
> Changes in v2:
>   - `tag_prefix` was set based on the $DEBIAN_MASTER folder name, such that for
>   for first order derivatives the tag prefix would be `Ubuntu-master-*`. Fix
>   this by relying on the package name from $DEBIAN_MASTER/changelog instead.
> 
> Marcelo Henrique Cerri (1):
>    UBUNTU: [Packaging] Add a new fips-checks script
> 
>   debian/scripts/misc/fips-checks | 139 ++++++++++++++++++++++++++++++++
>   1 file changed, 139 insertions(+)
>   create mode 100755 debian/scripts/misc/fips-checks
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>

If it doesn't work, then you (the cranker) will be the one to suffer. 
Otherwise this patch won't affect the code or packaging.
-- 
-----------
Tim Gardner
Canonical, Inc