Kernels built - copy to -proposed?

[Brad Figg]

On 12/03/2010 06:19 AM, Martin Pitt wrote:
> Hello Steve,
>
> Steve Conklin [2010-12-02 16:33 -0600]:
>> We've completed uploading kernels for the next cycle to our kernel ppa
>> and they've built. Now they need to be copied to the -proposed pocket so
>> we can begin verification next week.
>>
>> I'm not sure how the process is different now that we're doing it this
>> way instead of having you approve uploads before they are built. If you
>> can provide information about this it would help us.
>
> Why are you now using a PPA instead of -proposed? A PPA shouldn't
> build a kernel any faster than the regular archive buildds? This
> approach effectively breaks the tools that we have for review, so the
> process for the person who reviews/accepts the upload will be a lot
> harder.

We are building using a non-virtualized ppa builder which is configured
to only have a build dependency for -security in the same manner that
the security team builds with.

We have done this on the recommendation of the security team for the reason
that the -proposed builds can now contain non-critical, non-embargoed CVEs
and the results of these builds will be able to be pocket copied to the
-security pocket.

I had assumed that you had been consulted on this change. That was a large
oversight on our part and I sincerely apologize for that mistake.

>
> That these kernels now may have security fixes and bug fixes
> intermixed is not a buildd/archive problem. The existing security
> update process already has a staging area and ensures that -proposed
> components aren't used, and for a "regular" SRU which goes to -updates
> the existing SRU process works just fine.

This was agreed to at UDS. Non-critical, non-embargoed CVEs would just be
rolled into regular -proposed builds. There were at least two sessions
where this specific issue was discussed.

>
> However, mixing security and bug fixes IS a problem nevertheless:
> Either it means that we are holding back security fixes for two weeks,
> or that we smuggle non-security changes under the security fast-track
> to circumvent the -proposed testing and regression catching; neither
> of which sounds appropriate to me.

Again, this was discussed at UDS and agreed to by all present. We are
_not_ trying to smuggle non-security changes under the security fast-track.
On the contrary, CVEs are now getting the same testing that onther patches
are getting which is better than was the case before.

Also, with this process, we will be getting CVEs out in a more timely
fashion. Previously we would batch up CVEs for many weeks because the
security builds/process was so disruptive to getting regular stable
patches out. Now they are all proceeding at the same regular pace.

The only exception to this are the critical and/or embargoed CVEs which
will require a special -security upload and release.

>
>> We've put the documentation we have here, there's a section titled
>> "Build PPA and process for pocket copying":
>>
>> https://wiki.ubuntu.com/Kernel/StableReleaseCadence
>>
>> Within that there's a link to this information written by Jamie
>> Strandboge:
>>
>> https://wiki.ubuntu.com/ArchiveAdministration#Copying%20PPA%20kernels%
>> 20to%20proposed
>>
>> Please correct anything that's not correct on those pages.
>
> I updated ArchiveAdministration to include the missing steps that are
> required for an SRU [1], including a disclaimer that this is in no way
> a sanctioned process.
>
> Thanks, and have a good weekend,
>
> Martin
>
> [1] https://wiki.ubuntu.com/ArchiveAdministration?action=diff&rev2=170&rev1=169

Brad
-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com