StableKernelMaintenance
|
Size: 6943
Comment:
|
Size: 13455
Comment: Document scenario of proposed and security both being ABI bumpers
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from StableKernelMaintenance | |
| Line 12: | Line 13: |
| === Getting fixes into upstream stable === As soon as a new upstream kernel gets released, there will be related 2.6.x.y tree. This will usually get maintained until the next upstream kernel is released. There is currently one exception with 2.6.27.y which is maintained long-term by GregKH and 2.6.32.y has high chances of being maintained for a longer period of time. There is a documentation file on the upstream stable process which can be found in the Linux tree under ''Documentation/stable_kernel_rules.txt''. The written down rules for acceptable patches are very like those set down for SRU acceptance. Though in practice, they seem to be handled a bit relaxed. ==== New patches ==== When trying to get a fix into upstream stable, the first question to as is: Has the patch been sent to upstream already? If it is a new fix, the decision whether it is suitable for stable is made by the author or subsystem maintainer. In that case adding the following line to the signed-off-by section of the patch will cause it to be pulled into the currently maintained stable trees as soon as it is pulled into Linus tree. {{{ Cc: stable@kernel.org Signed-off-by: ... }}} ==== Already submitted patches ==== If the patch is already in Linus tree, but has not been sent to stable at that time, it can be sent to the stable mail address. In that case at least the subsystem maintainer (but better is to send it cc to all those that have been in the signed-off-by section) must be set on cc. Also the mail must contain a quick explanation to why this qualifies for the stable tree. Depending on the patch, it might be a good idea to contact the subsystem maintainer on the subject and get his or her agreement in advance. ==== Different fix than upstream ==== There are cases where a fix will be different from the patch submitted to the upstream tree. Either because other changes require some modifications or because upstream has chosen a new/different approach now. In that case the backported or specially crafted patch is sent to stable@kernel.org directly, too. But again absolutely must cc the subsystem maintainer. Also the mail must clearly explain why this is done this way. Otherwise the patch just might get ignored. ==== Hinting pre-requisite patches ==== As a new addition to the known "Cc: stable@kernel.org" line, it is possible to give hints about any patches that are required for the stable patch to work correctly. The following example, taken from the stable_kernel_rules.txt file, shows the signed-off-by section in such a case: {{{ Cc: <stable@kernel.org> # .32.x: a1f84a3: sched: Check for idle Cc: <stable@kernel.org> # .32.x: 1b9508f: sched: Rate-limit newidle Cc: <stable@kernel.org> # .32.x: fd21073: sched: Fix affinity logic Cc: <stable@kernel.org> # .32.x Signed-off-by: Ingo Molnar <mingo@elte.hu> }}} Patches will be picked in the order they appear, so a1f84a3 will be the first and fd21073 the last (before the patch this is contained is applied). |
|
| Line 17: | Line 58: |
| StableReleaseUpdates with a kernel specific part described KernelUpdates (''Note the proposal below''). * Every SRU needs a bug. Patches are sent to kernel mailing list and have to get at least one ''ACK'' (maybe 2 with the current team size). * SRU justification is added to bug and nomination for releases are used to track progress for each release (if appropriate). |
StableReleaseUpdates with a kernel specific part described [[KernelTeam/KernelUpdates|KernelUpdates]]. * Every SRU needs a bug. Patches are sent to kernel mailing list and have to get at least two ''ACK''s from other senior kernel developers (those in the kernel_cdev group on zinc). * All patches should be signed-off-by the person who did the patch. The developer who is committing the final patch, also needs to add his SOB. * Patches from upstream should not change the submitter's reference. They should be cherry-picked or exported and then re-imported (''git format-patch'' and ''git-am''. Personally I do a {{{ git format-patch -s <sha> -1 }}} then add bug and/or CVE references and then import the resulting patch (the -s automatically adds a signed-of-by line). * Changes that require an kABI bump should be marked by adding "BumpABI: yes" to the git message. This is a manual process but makes life simpler of someone asks why the ABI has been bumped. * SRU justification is added to bug report and nomination for releases are used to track progress for each release (if appropriate). |
| Line 25: | Line 74: |
| * ['''TBD'''] milestone is set for ??? (patches that are important, or just generally if we think it should get into next release). '''Proposal:''' Always add fixes from -stable tree. Since the process for stable kernel updates ([[http://lwn.net/Articles/126915/|LWN article]]) is very similar to our SRU process and there have been quite a number of bugs that have been solved by finally finding out that there has been a fix in the stable tree, there has been a proposal to add those automatically to our stable tree (discussion was on kernel team mailing list). The updated process could look like this: * Stable release updates from the kernel.org stable kernel that matches the kernel version will qualify as SRU updates. Possible import process could be: * one LP bug for each release * one LP bug for each patch of each release * Those updates also should be ''ACK''ed by at least one (two) members of the kernel team. * Updates resulting from stable tree imports should be kept at least 2 weeks in -proposed before moving to -updates. Any change or regression in the stable tree resets the counter. |
* The milestone is set for the next official update release only for bugs that are important (iow when you want to be chased by a release manager if that patch fails to get included). |
| Line 63: | Line 93: |
| * ['''TBD'''] verification of the vulnerability (if possible) ''this would be good but requires automated tests'' Proposed work flow for security updates with unreleased or pending -proposed updates: * create a branch based on the last official (-updates/-security) release * add fixes and do the release from this branch * after release (and after gathering the ABI files) merge back to main tree. This makes sure the version of the security release can be checked out and based upon. |
* Kees has a little test script in bazar which is good for testing: {{{ bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing cd qa-regression-testing/scripts sudo apt-get install build-essential python-unit sudo libcap2-bin lsb-release ./test-kernel-security.py -v }}} Work flow for security updates with unreleased or pending -proposed updates: * create a branch based on the last official (-updates/-security) release * add fixes and do the release from this branch * after the security release is final and if there was a release in proposed, create a new branch which is based on the last proposed release, merge back the security branch and prepare everything for a rebuild (fix up ABI files and the changelog). * Finally check out the master branch, merge back either the security or proposed branch and fix up the ABI and changelog. This makes sure the version of the security release can be checked out and based upon. |
| Line 79: | Line 113: |
==== Versioning ==== A general rule is that the security release has to be a higher version/release number than anything else. This causes some headaches if there is a proposed version not yet moved into updates, especially if this is an ABI bumper. 1. If there is no kernel package in proposed, the security release just gets the next release number. Should the security release require an ABI bump, this is also done like normally. 1. If there is a kernel in proposed, the security release gets the next number that would follow it. 1. Should this proposed kernel be an ABI bumper, then the security release has to match that ABI number and the rebuild of proposed needs to bump the ABI again. 1. Should the proposed kernel be an ABI bump and the security release is also an ABI bump, the security release must bump the ABI and upload number of the kernel currently in proposed. The following examples try to illustrate the version handling: {{{ Updates: 1.1 --+-------------------------+-- Proposed: \-- 1.2 -------+-- 1.4 --/ Security: \-------- 1.3 / Updates: 1.1 --+--------------------------+-- Proposed: \-- 2.2 ---------+-- 3.4 --/ Security: \-------- 2.3 --/ Updates: 1.1 --+----------------------------+-- Proposed: \-- 2.2 ----------+-- 4.4 --/ Security: \--------- 3.3 --/ }}} In any case where there was a proposed kernel pending and it has to be rebuild with the security patches included, the changelog will be modified to include all changes that have been recorded by proposed uploads which have not been moved to updates, as the new release and the old ones get dropped. Here an example. Given there have been two uploads to proposed accumulated but not moved to updates. The changlog would look like this: {{{ linux (2.6.24-1.3) hardy-proposed ... - item 3 linux (2.6.24-1.2) hardy-proposed ... - item 2 - item 1 linux (2.6.24-1.1) hardy ... - in updates }}} Then a security release comes and takes precedence. After that has been released we prepare a new upload to proposed and the changelog looks like that: {{{ linux (2.6.24-1.5) hardy-proposed ... - item 3 - item 2 - item 1 linux (2.6.24-1.4) hardy-security ... - security update linux (2.6.24-1.1) hardy ... - in updates }}} |
|
| Line 111: | Line 195: |
| * Are there duplicate/unwanted entries * Has every entry a bug reference * Ubuntu patches (UBUNTU keyword prefixed) automatically this if they contained a ''Bug'' keyword in the description. |
* Are there duplicate/unwanted entries? * Has every entry a bug reference? * Ubuntu patches (UBUNTU keyword prefixed) automatically get this if they contained a ''Bug'' keyword in the description. Some of the build environments have been updated to do the same for upstream patches with a ''Bug'' entry. |
| Line 120: | Line 204: |
| {{{ UBUNTU: Fix stupid bug BugLink: http://bugs.launchpad.net/bugs/<bugnumber> CVE-2008-0815 }}} |
|
| Line 121: | Line 211: |
| * The changelog keeps order of uploads, git log the order of check ins but this cannot always be honoured. The make process cannot handle complicated forth and back of ABI releases. | * The changelog keeps order of uploads, git log the order of check-ins but this cannot always be honoured. The make process cannot handle complicated forth and back of ABI releases. But in general the sequence of the changelog reflects the upload [[https://edge.launchpad.net/ubuntu/+source/linux/+publishinghistory|history]] |
| Line 124: | Line 214: |
| the -v option (and have the orig.tar.gz, to do only diff uploads) | the -v option (and have the orig.tar.gz, to do only diff uploads). If the the orig.tar.gz file is placed into the directory above the kernel tree, this will be done automagically. |
| Line 133: | Line 223: |
| to updates. Updates to security probably the same but most of the time those are both the same anyway. |
to updates. Updates to security should probably be done the same way, but since -security is moved to -updates rather quickly, both will be the same version anyway. |
| Line 138: | Line 227: |
| The release is done by uploading the source packages to special servers. If the kernel ABI has changed, LUM, LBM and LRM must be uploaded with updated version/ABI numbers as well. Also the linux-meta package must be updated and uploaded (after the other packages are done). |
|
| Line 150: | Line 241: |
| * If the kABI changed note the reasoning on the [[https://wiki.ubuntu.com/KernelTeam/Stable_kABI|stable kernel ABI]] wiki page. * Propose tag for ABI changing checkings (BumpABI). This is manual but it allows a quick overview which changes caused ABI bumps. |
* If the kABI changed note the reasoning on the [[https://wiki.ubuntu.com/KernelTeam/Stable_kABI|stable kernel ABI]] wiki page. This must also be announced by mails to * kernel-team@lists.ubuntu.com (kernel team mailing list) * ubuntu-mobile@lists.ubuntu.com (mobile team for all SRU kernels) * ubuntu-installer@lists.ubuntu.com (installer team mailing list for ABI bumps) |
| Line 160: | Line 252: |
| * The ABI files have to be fetched. Would it make sense to get them, then change the release tag to that state? Better would be to get those from test builds. Currently the only problem is HPPA (no host). * The creation of the new release uses ''whoami'' and stuff. Might be better to take DEBNAME and DEBEMAIL... |
* The ABI files have to be fetched when starting a new release. The buildscript build-getabis can be used to fetch the ABI files from the builders. So one has not to wait until the upload is complete. |
Contents |
This document is intended to document the processes involved in the maintenance of stable (after release) kernel trees. Those should be independent of a specific release. If not, this should be noted on the specific description.
Post-release updates
Getting fixes into upstream stable
As soon as a new upstream kernel gets released, there will be related 2.6.x.y tree. This will usually get maintained until the next upstream kernel is released. There is currently one exception with 2.6.27.y which is maintained long-term by GregKH and 2.6.32.y has high chances of being maintained for a longer period of time.
There is a documentation file on the upstream stable process which can be found in the Linux tree under Documentation/stable_kernel_rules.txt. The written down rules for acceptable patches are very like those set down for SRU acceptance. Though in practice, they seem to be handled a bit relaxed.
New patches
When trying to get a fix into upstream stable, the first question to as is: Has the patch been sent to upstream already? If it is a new fix, the decision whether it is suitable for stable is made by the author or subsystem maintainer. In that case adding the following line to the signed-off-by section of the patch will cause it to be pulled into the currently maintained stable trees as soon as it is pulled into Linus tree.
Cc: stable@kernel.org Signed-off-by: ...
Already submitted patches
If the patch is already in Linus tree, but has not been sent to stable at that time, it can be sent to the stable mail address. In that case at least the subsystem maintainer (but better is to send it cc to all those that have been in the signed-off-by section) must be set on cc. Also the mail must contain a quick explanation to why this qualifies for the stable tree. Depending on the patch, it might be a good idea to contact the subsystem maintainer on the subject and get his or her agreement in advance.
Different fix than upstream
There are cases where a fix will be different from the patch submitted to the upstream tree. Either because other changes require some modifications or because upstream has chosen a new/different approach now. In that case the backported or specially crafted patch is sent to stable@kernel.org directly, too. But again absolutely must cc the subsystem maintainer. Also the mail must clearly explain why this is done this way. Otherwise the patch just might get ignored.
Hinting pre-requisite patches
As a new addition to the known "Cc: stable@kernel.org" line, it is possible to give hints about any patches that are required for the stable patch to work correctly. The following example, taken from the stable_kernel_rules.txt file, shows the signed-off-by section in such a case:
Cc: <stable@kernel.org> # .32.x: a1f84a3: sched: Check for idle Cc: <stable@kernel.org> # .32.x: 1b9508f: sched: Rate-limit newidle Cc: <stable@kernel.org> # .32.x: fd21073: sched: Fix affinity logic Cc: <stable@kernel.org> # .32.x Signed-off-by: Ingo Molnar <mingo@elte.hu>
Patches will be picked in the order they appear, so a1f84a3 will be the first and fd21073 the last (before the patch this is contained is applied).
SRUs/bugs
Stable release updates will be done after the initial release. To prevent regressions there are a more formal process involved in getting new patches included. The process is described in general at StableReleaseUpdates with a kernel specific part described KernelUpdates.
Every SRU needs a bug. Patches are sent to kernel mailing list and have to get at least two ACKs from other senior kernel developers (those in the kernel_cdev group on zinc).
- All patches should be signed-off-by the person who did the patch. The developer who is committing the final patch, also needs to add his SOB.
Patches from upstream should not change the submitter's reference. They should be cherry-picked or exported and then re-imported (git format-patch and git-am. Personally I do a
git format-patch -s <sha> -1
then add bug and/or CVE references and then import the resulting patch (the -s automatically adds a signed-of-by line).- Changes that require an kABI bump should be marked by adding "BumpABI: yes" to the git message. This is a manual process but makes life simpler of someone asks why the ABI has been bumped.
- SRU justification is added to bug report and nomination for releases are used to track progress for each release (if appropriate).
- ubuntu-sru has to get subscribed
- The milestone is set for the next official update release only for bugs that are important (iow when you want to be chased by a release manager if that patch fails to get included).
CVEs/security updates
Current contact: Kees Cook
CVE updates usually are done in batches (except for very critical problems). There is a list of CVEs and all currently maintained releases have to be checked for possible vulnerabilities.
The patchsets are prepared by one member of the stable maintenance team but not pushed if any of the patches still is embargoed.
- test builds must be done at least for i386 and amd64
- test packages and upload sources are provided on an internal server (e.g. chinstrap).
- boot tests should be done for i386 (and amd64)
Kees has a little test script in bazar which is good for testing:
bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing cd qa-regression-testing/scripts sudo apt-get install build-essential python-unit sudo libcap2-bin lsb-release ./test-kernel-security.py -v
Work flow for security updates with unreleased or pending -proposed updates:
- create a branch based on the last official (-updates/-security) release
- add fixes and do the release from this branch
- after the security release is final and if there was a release in proposed, create a new branch which is based on the last proposed release, merge back the security branch and prepare everything for a rebuild (fix up ABI files and the changelog).
- Finally check out the master branch, merge back either the security or proposed branch and fix up the ABI and changelog.
This makes sure the version of the security release can be checked out and based upon.
Note: Had to use "git push origin master" to get merges visible.
Versioning
A general rule is that the security release has to be a higher version/release number than anything else. This causes some headaches if there is a proposed version not yet moved into updates, especially if this is an ABI bumper.
- If there is no kernel package in proposed, the security release just gets the next release number. Should the security release require an ABI bump, this is also done like normally.
- If there is a kernel in proposed, the security release gets the next number that would follow it.
- Should this proposed kernel be an ABI bumper, then the security release has to match that ABI number and the rebuild of proposed needs to bump the ABI again.
- Should the proposed kernel be an ABI bump and the security release is also an ABI bump, the security release must bump the ABI and upload number of the kernel currently in proposed.
The following examples try to illustrate the version handling:
Updates: 1.1 --+-------------------------+-- Proposed: \-- 1.2 -------+-- 1.4 --/ Security: \-------- 1.3 / Updates: 1.1 --+--------------------------+-- Proposed: \-- 2.2 ---------+-- 3.4 --/ Security: \-------- 2.3 --/ Updates: 1.1 --+----------------------------+-- Proposed: \-- 2.2 ----------+-- 4.4 --/ Security: \--------- 3.3 --/
In any case where there was a proposed kernel pending and it has to be rebuild with the security patches included, the changelog will be modified to include all changes that have been recorded by proposed uploads which have not been moved to updates, as the new release and the old ones get dropped. Here an example. Given there have been two uploads to proposed accumulated but not moved to updates. The changlog would look like this:
linux (2.6.24-1.3) hardy-proposed ... - item 3 linux (2.6.24-1.2) hardy-proposed ... - item 2 - item 1 linux (2.6.24-1.1) hardy ... - in updates
Then a security release comes and takes precedence. After that has been released we prepare a new upload to proposed and the changelog looks like that:
linux (2.6.24-1.5) hardy-proposed ... - item 3 - item 2 - item 1 linux (2.6.24-1.4) hardy-security ... - security update linux (2.6.24-1.1) hardy ... - in updates
Updates to custom binaries (virtual/openvz/...)
Custom binary builds are usually community maintained and not as critical as the main kernel flavours. Nevertheless updates should follow a certain pattern to be clearly documented.
- Get triggered by a community member (usually kernel-team mailing list)
- Open a LP bug for SRU documentation
- Create a branch and pull/cerry-pick
- Do a test build
- Publish the SRU request on the kernel-team list. References to patches as gitweb links since patches might be big.
Test builds
Either in a PPA or on the porter machines. HPPA is a problem due to hardware access.
Release
Pre-release tasks
A new upload is prepared by editing/creating the changelog (KernelMaintenance)
- Use chroots to create the uploads (because scripts depend on certain environments)
The insertchanges target does not always work properly, especially on older releases. Always make sure to check the generated file.
- Are there duplicate/unwanted entries?
- Has every entry a bug reference?
Ubuntu patches (UBUNTU keyword prefixed) automatically get this if they contained a Bug keyword in the description. Some of the build environments have been updated to do the same for upstream patches with a Bug entry.
Patches from upstream did not (but do with updated scripts and if they include a Bug keyword.
- CVEs should have the CVE-xxxx-xxxx number in their description
UBUNTU: Fix stupid bug BugLink: http://bugs.launchpad.net/bugs/<bugnumber> CVE-2008-0815
The changelog keeps order of uploads, git log the order of check-ins but this cannot always be honoured. The make process cannot handle complicated forth and back of ABI releases. But in general the sequence of the changelog reflects the upload history
On updates the command for generating the source package should include the -v option (and have the orig.tar.gz, to do only diff uploads). If the the orig.tar.gz file is placed into the directory above the kernel tree, this will be done automagically.
dpkg-buildpackage -S -rfakeroot -I.git -I.gitignore -i'\.git.*' \
-v<version>A note to <version>: this should be the last relevant version uploaded. So for uploads to -proposed this should be the last version uploaded to updates. Updates to security should probably be done the same way, but since -security is moved to -updates rather quickly, both will be the same version anyway.
The actual release
The release is done by uploading the source packages to special servers. If the kernel ABI has changed, LUM, LBM and LRM must be uploaded with updated version/ABI numbers as well. Also the linux-meta package must be updated and uploaded (after the other packages are done).
- The upload target differs, depending on the type of upload:
-security uploads go to security.ubuntu.com (jackass) while
-proposed uploads go to upload.ubuntu.com
The packages have to be signed by someone with the upload rights and the uploaded packages will be invisible until they are ACCEPTED
For -security uploads the contacts are kees or jdstrand. For those the status is even invisible after acceptance.
For -proposed uploads the packages have to be accepted by either slangasek or pitty (or cjwatson(?))
If the kABI changed note the reasoning on the stable kernel ABI wiki page. This must also be announced by mails to
kernel-team@lists.ubuntu.com (kernel team mailing list)
ubuntu-mobile@lists.ubuntu.com (mobile team for all SRU kernels)
ubuntu-installer@lists.ubuntu.com (installer team mailing list for ABI bumps)
- Somehow also keep track of the changes in supported hardware to gather this for releases.
Post-release tasks
As described in KernelMaintenance. Thoughts on that:
- The ABI files have to be fetched when starting a new release. The buildscript build-getabis can be used to fetch the ABI files from the builders. So one has not to wait until the upload is complete.
KernelTeam/StableKernelMaintenance (last edited 2016-07-07 19:32:24 by kamalmostafa)