Canonical Public Cloud (CPC) team being more involved in release decisions on suite release day

Tue Apr 11 23:34:21 UTC 2023

On Tue, Apr 11, 2023 at 05:00:03PM +0100, Phil Roche wrote:

> * https://ubuntu.com/security/CVE-2022-2602 was announced and made public
> on 18th October
> * There was confusion around whether publishing a kernel to
> -updates|-security for an unreleased release during freeze was allowed and
> the decision was made not to and to wait until the archive was open again
> for uploads

Ok, let's set the record straight on this: there is no policy that prohibits
us from releasing packages to -security before the release pocket is frozen.

There may be some tooling issues that make it awkward on the kernel team's
side (that's my recollection), but there's no policy against it.

And as the cloud images are frequently updated, and security updates are
automatically installed, I don't think it's a problem if the cloud images
released on release day include packages from -security or -updates that are
not included in the installer images, mastered earlier, including packages
only from the release pocket.

So hopefully that makes things clearer.

> So to avoid this specific issue happening again, we could state that in
> circumstances like these kernels that are addressing a CVE can be published
> before release regardless of freeze state. That would mean that
> for CVE-2022-2602 all kernels would have been published and server, desktop
> and cloud could release at the same time.

> > You mention a kernel CVE; I don't remember the details, but it evidently
> > wasn't considered a reason to hold back and respin all of the installer
> > images.  Why was it necessary to hold the cloud images back?  For cloud
> > images in particular, the next image is not far away.

> For cloud, CPC's stance, and one which the cloud partners will hold us to,
> is that we do not knowingly publish any release, as opposed to a daily,
> cloud image with a high or critical priority CVE present.

Ok.

On Tue, Apr 11, 2023 at 05:20:30PM +0100, Phil Roche wrote:
> Perhaps we can amend my proposal from
> https://lists.ubuntu.com/archives/ubuntu-release/2023-April/005607.html

> server, desktop and cloud will release in lockstep on release day *.
> > * exceptions to this are where a high or critical priority CVE becomes
> > public before or on release day. If this were to occur then the server,
> > desktop and cloud images might release independently while waiting for
> > updated builds to address the CVE.

> to

> server, desktop and cloud will release in lockstep on release day *.
> * Exceptions to this are where a high or critical priority CVE becomes
> public before or on release day.  For critical priority CVEs then release
> of server, desktop and cloud will be blocked until new images can be built
> addressing the CVE.  For high priority CVEs, the decision to block release
> will be made on a per product (server, desktop and cloud) basis and will
> depend on the nature of the CVE which might result in images not being
> released on the same day.

I'm comfortable with that.  I'd like to see opinions of other Release Team
members as well.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-release/attachments/20230411/3aac01ba/attachment.sig>