The Kernel team uploads all non-embargoed kernels to a special native PPA, termed the Kernel PPA. This is a full native PPA configured to build against the -security pocket. This allows kernels built in this PPA to be used as both regular -updates kernels and -security kernels when they contain CVEs. Once built they are pocket copied to the relevant -proposed pocket for testing.
Setting up the Build PPA (should already exist)
According to the new process, regular stable kernel releases may now contain security CVE fixes along with normal fixes. Any kernel containing security fixes must be delivered to the -security pocket, and must therefore only be built against components which are delivered through -security, and not anything newer which may come from -updates.
In order to accomplish this, the following steps are taken to upload kernel packages:
- Create a new PPA
- Set up the build ppa as native
- Set up the ppa as building with only the security pocket enabled (ie, not with updates or proposed)
- Debug .debs must _not_ be enabled (see below)
Uploading to the Kernel PPA
We use a shared PPA for all kernel-team originated uploads. The canonical-kernel-team PPA is used for this purpose. In order to upload -proposed kernels to this PPA, you need to set up a configuration for it in your .dput.cf file. The section for this ppa should look like this:
[kernelteam] fqdn=ppa.launchpad.net method=ftp incoming=~canonical-kernel-team/ubuntu/%(kernelteam)s login=anonymous allow_unsigned_uploads = 0
Then when you upload, you must include the release name like this:
dput kernelteam:hardy ./<hardy-kernel-version>_source.changes
Pocket Copying from the Kernel PPA to -proposed
Once a build is completed it should be copied to the relevant -proposed pocket to allow testing to commence.
copy-proposed-kernel <series> <package>
The copy-proposed-kernel command is from the ubuntu archive admins bzr repo which is: lp:~ubuntu-archive/ubuntu-archive-tools/trunk/
At the bottom of the pending sru page (http://people.canonical.com/~ubuntu-archive/pending-sru.html) there is a "Kernel PPA" section which shows which packages are ready to be copied and gives the command line for each.
Debug .debs and the Kernel PPA
The Kernel PPA should not have debugg deb generation enabled. This PPA mode is designed for stand alone PPAs so that this debugging information is available for those adding the PPA to their system. However in our case we wish to further copy the packages into the main archive where debug debs have special handling. Do NOT enable this option it will cause chaos.
The main archive maintains the debugging debs in a separate physical archive ddebs.ubuntu.com and has special processing to separately publish the main debs and the debug debs to these separate archives. If we attempt to pocket copy a PPA build which includes the debug debs the archive will reject the copy. Luckily as the PPA builds are native builds the debug debs will be hoovered up by the normal processing and made available on ddebs.ubuntu.com as normal.