Kernels built - copy to -proposed?
Kees Cook
kees.cook at canonical.com
Mon Dec 6 19:12:21 GMT 2010
On Mon, Dec 06, 2010 at 07:50:34PM +0100, Martin Pitt wrote:
> for the details. This would need to be changed to fetch the .changes
> and debdiff from the PPA. I just checked, and fortunately it seems
> that PPAs also generate debdiffs against the corresponding Ubuntu
> release, so it shouldn't be too hard. Is this going to be a public
> PPA? If not, then we need to rewrite queuediff from urllib to using
> launchpadlib (there seems to be a method packageDiffUrl() which we can
> use), and ~ubuntu-sru needs to be able to access the PPA.
Yes, it would be a public PPA. Embargoed security issues would go through a
different process (the bulk of security issues are not embargoed).
> The alternative approach would be to let the security team do the
> review and copying, and run sru-accept.py by themselves, as I outlined
> in
>
> https://wiki.ubuntu.com/ArchiveAdministration#Copying%20PPA%20kernels%20to%20proposed%20(DRAFT)
I would be prefer to keep the security team out of this process except for
helping with CVE triage, PoC creation, and USN publications.
> I guess you already have your own methods/scripts to review package
> deltas, so exercising the steps 1 and 2 might actually be easier for
> you as well?
Well, generally I just read the debdiff before uploading. I've always got
local copies of everything, so I don't really need a script for it.
However, if it helps, here's what we use to pull down binaries, source, etc
from PPAs:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/annotate/head%3A/scripts/sis-changes
usually via:
http://bazaar.launchpad.net/~ubuntu-security/ubuntu-security-tools/trunk/annotate/head%3A/repo-tools/copy_sppa_to_repos
Which has docs at the top on downloading kernels, actually. :)
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the technical-board
mailing list