SRU/CVE wholesale backport of (mostly) obscured blobs

Dimitri John Ledkov xnox at ubuntu.com
Tue Jun 27 09:45:39 UTC 2017 

Hello,

I have noticed intel-microcode bug report
https://bugs.launchpad.net/ubuntu/+source/intel-microcode/+bug/1700373
and prepared updates for it.

My understanding is that I have prepared it using the best practices for
this class of packages.

Specifically, backport of a package with new features, bugfixes and
security fixes. Up to the latest LTS.

Thus I have followed the backports model of the update, meaning minimal
diff between the proposed update  and the version of the package being
backported. Thus mimimal diff relative to the development release - with
only delta relative artful being the changelog in this case, as no other
modifications are required to adapt the package for older series. Similar
to what is used by packages like: nvidia-graphics-drivers-NNN, firefox,
linux-hwe, nplan, cloud-archive.

I could not find SRU packaging policy for the above examples of wholesale
backports.

I have used (devel-series version number)~ubuntuXX.YY.0 version number,
which is customary for the wholesale backports.

Instead, I have been asked by an SRU team member to create a more typical
targetted SRU update which uses divergent packaging on per-series basis,
increasing the delta of each SRU relative the devel series, and minimizing
packaging changes relative each of the series this package will land in.

I find this request to be inconsistent with the current practices of
wholesale backports in the cases when it is not possible to distinguish
piece-wise SRU/CVE bugfixes. It creates extra additional work to maintain
distinct lines of packaging on per-series basis especially when it is not
possible to create SRU / security templates on every individual change as
they are SRUed.

Please review and accept backports of intel-microcode into xenial-zesty
proposed pockets, with eventual publication in dual pockets security and
updates.

-- 
Regards,

Dimitri.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-release/attachments/20170627/8f9b510c/attachment.html>

More information about the Ubuntu-release mailing list