The Kernel team uploads all non-embargoed kernels to a special native PPA, termed the Kernel PPA. This is a full native PPA configured to build against the -security pocket. This allows kernels built in this PPA to be used as both regular -updates kernels and -security kernels when they contain CVEs. Once built they are pocket copied to the relevant -proposed pocket for testing.

Setting up the Build PPA (should already exist)

According to the new process, regular stable kernel releases may now contain security CVE fixes along with normal fixes. Any kernel containing security fixes must be delivered to the -security pocket, and must therefore only be built against components which are delivered through -security, and not anything newer which may come from -updates.

In order to accomplish this, the following steps are taken to upload kernel packages:

  1. Create a new PPA
  2. Set up the build ppa as native
  3. Set up the ppa as building with only the security pocket enabled (ie, not with updates or proposed)
  4. Debug .debs must _not_ be enabled (see below)

Uploading to the Kernel PPA

We use a shared PPA for all kernel-team originated uploads. The canonical-kernel-team PPA is used for this purpose. In order to upload -proposed kernels to this PPA, you need to set up a configuration for it in your file. The section for this ppa should look like this:

allow_unsigned_uploads = 0

Then when you upload, you must include the release name like this:

dput kernelteam:hardy ./<hardy-kernel-version>_source.changes

Pocket Copying from the Kernel PPA to -proposed

Once a build is completed it should be copied to the relevant -proposed pocket to allow testing to commence.

copy-proposed-kernel <series> <package>

The copy-proposed-kernel command is from the ubuntu archive admins bzr repo which is: lp:~ubuntu-archive/ubuntu-archive-tools/trunk/

At the bottom of the pending sru page ( there is a "Kernel PPA" section which shows which packages are ready to be copied and gives the command line for each.

Debug .debs and the Kernel PPA

The Kernel PPA should not have debugg deb generation enabled. This PPA mode is designed for stand alone PPAs so that this debugging information is available for those adding the PPA to their system. However in our case we wish to further copy the packages into the main archive where debug debs have special handling. Do NOT enable this option it will cause chaos.

The main archive maintains the debugging debs in a separate physical archive and has special processing to separately publish the main debs and the debug debs to these separate archives. If we attempt to pocket copy a PPA build which includes the debug debs the archive will reject the copy. Luckily as the PPA builds are native builds the debug debs will be hoovered up by the normal processing and made available on as normal.

Kernel/KernelPPA (last edited 2012-07-27 14:46:50 by brad-figg)