ReleaseCycle

Differences between revisions 107 and 108
Revision 107 as of 2013-04-29 21:29:12
Size: 13228
Editor: seth-arnold
Comment: ubuntu-cve-tools -> ubuntu-cve-tracker
Revision 108 as of 2013-04-29 22:12:18
Size: 13230
Editor: seth-arnold
Comment: ubuntu-cve-tools -> ubuntu-cve-tracker
Deletions are marked like this. Additions are marked like this.
Line 115: Line 115:
 * add release to non-ports and ports section of `ubuntu-cve-tools/scripts/packages-mirror`  * add release to non-ports and ports section of `ubuntu-cve-tracker/scripts/packages-mirror`

How the Security Team interacts with the regular Ubuntu Release Cycle.

Security Updates

pre-feature-freeze

  • request syncs for issues fixed in stable releases that are not fixed in the development release, but are fixed in upstream versions.

post-feature-freeze

  • request feature-freeze exceptions for upstream security fixes, or push security patches, depending on extent of upstream changes.

post-beta

  • focus security updates on any updates still missing from devel release that are present in stable updates (see 'Show all out-of-sync CVEs for the devel release' from $UCT/README for assistance)
  • add the following to the announcements section of the ubuntu-security weekly meeting: "Ubuntu <version> is scheduled to release in a few weeks. If you are interested, it would be great if people helped make sure that the Ubuntu CVE Tracker is up to date for the devel release (particularly for universe/multiverse packages."

Regression Testing

pre-Alpha 3

  • run regression tests when any major changes are noticed

Alpha 3

  • run kernel hardening regression tests on multiple architecture/kernel combinations (i386 w/o PAE, i386 w/ PAE, amd64) (test-kernel*.py)
  • run gcc hardening regression tests on amd64 and i386 (test-gcc-security.py)
  • run glibc hardening regression tests on amd64 and i386 (test-glibc-security.py)
  • run other user-space hardening tests (eg PIE) on amd64 and i386 (test-built-binaries.py)

Beta 2

  • run kernel hardening regression tests on multiple architecture/kernel combinations (i386 w/o PAE, i386 w/ PAE, amd64) (test-kernel*.py)
  • run gcc hardening regression tests on amd64 and i386 (test-gcc-security.py)
  • run glibc hardening regression tests on amd64 and i386 (test-glibc-security.py)
  • run other user-space hardening tests (eg PIE) on amd64 and i386 (test-built-binaries.py)
  • run remaining regression tests from qa-regression-testing, updating the tests or reporting bugs against the package
  • run test-rng.py --all --report from qa-regression-testing (takes many days, so may want to spread across multiple machines) and put the results in qa-regression-testing/results/test-rng.py/<release number>. This is likely a good use of EC2 (but keep in mind as of 2009/04/27 it costs ~ $100).

  • run qa-regression-testing/install/get_file_info.sh and review for problems

post-rc1

  • run install/get_file_info.sh and record results in qa-regression-testing/install/get_file_info_results (see qa-regression-testing/install/README for details). This also needs to be done on the final images

  • Review supported kernels with the kernel team

EOL Checklist

Infrastructure (EOL)

  • from ubuntu-cve-tracker's README section "End of Life":
    • mark any active CVEs for that release with an EOL comment: ./scripts/sync-from-eol.py -WUu -r $RELEASE

    • add release to 'eol_releases' in scripts/cve_lib.py
    • run a CVE retirement cycle
    • remove release from boilerplates: sed -i -e '/^<release>_\(.*\): /d' -e '/^#<release>_PKG:/d' ./active/00boilerplate*

    • remove any backport kernels for this release from 00boilerplate.linux
  • update ubuntu-cve-tracker/scripts/packages-mirror to lose old release
  • update architectures to include "EOL" footnote in SecurityTeam/FAQ

  • regenerate Security/Features from $UCT/scripts/dump-features --editmoin

  • review and optionally closed bug tasks for EOL releases with $UCT/scripts/report-bugs-for-eol

  • update $QRT/README.testing to remove EOL release
  • update people:~ubuntu-security/.ubuntu-security-tools.conf settings for (used by kernel-abi-check):

    • "release_list" loses EOL release name
  • remove release from $UQT/security-tools/kernel-abi-check and update $UQT/security-tools/kernel-abi-check to remove any checks for EOL kernels (ie, pocket_abis_match('<release>'...). Note this also require a manual bzr pull on people

  • update security-tools/build-tools/security-fake-sync to ensure LTS releases point to the right place (next_release())

Individuals (EOL)

  • update ~/.ubuntu-security-tools.conf settings for:

    • "release_list" loses EOL release name
  • No longer required with uvt: update ~/.uqt-vm-tools.conf settings for:

    • "vm_release_list" loses EOL release name
  • update debmirror/apt-cacher lists to drop old release
  • delete VMs and schroots from old release
  • adjust sources.list to remove deb and deb-src for old release

Release Checklist

Infrastructure (release)

  • update $UCT/scripts/cve_lib.py:

    • add the new release in releases

    • devel_release is emptied

    • Add release entry and timestamp to release_stamps. (The time stamp can be generated based of the date stamp of the release file rounded up to the next hour; e.g. echo "(($(date -r  /PATH/TO/UBUNTU/ARCHIVE/dists/RELEASE/Release.gpg +%s) / 3600 ) + 1) * 3600" | /usr/bin/bc

    • update release_expectations for the new release, and add a commented out section for the new devel release

  • move all active CVEs and boilerplates from "devel" to release state:
    • cd $UCT ; ./scripts/release-cycle-released $RELEASE

  • Update 'releases' in $UCT/scripts/report-todo-recommend to contain the most recent LTS and most recent non-LTS in check for if not opt.all_releases:

  • Update $UCT/scripts/cve.vim to include the new release.

  • update usn-tool for publication
    • update templates/html-drupal.html (add to release_list div, add a new stanza in the 'for each' part of that div, and add a show_binaries entry). This is no longer used by the security team, but might be in landscape (TODO: check).

    • update templates/email-maria.txt (add a new stanza to the 'affected releases' section, add a show_packages entry, and add a show_release_urls entry). This is no longer used by the security team, but might be in landscape (TODO: check).

    • update templates/email-new-format.txt (add a new stanza to the 'affected releases' section, add a show_packages entry, add a show_package_description entry, add a show_source_link entry)

    • pull these changes down on people (this happens automatically, but it will need to happen before a USN publication):

      $ cd /home/ubuntu-security/bzr-pulls/usn-tool/
      $ sudo -H -u ubuntu-security bzr pull
  • update architectures in SecurityTeam/FAQ

  • update security-tools/build-tools/security-fake-sync for new stable release (ubuntu_version() and next_release())

  • update people:~ubuntu-security/.ubuntu-security-tools.conf settings for:

    • release_devel is emptied

  • add release's kernels to $UQT/security-tools/kernel-abi-check (based on the kernel team's ABI page)

  • ask webops in #webops to update the usn-website to have the version for the new release (eg, it should have "Ubuntu <version>"). Eg LP: #773627. This can be done via the '/usn/admin' interface. There shouldn't be an entry for the development release.

  • Update AppArmor

  • Update UncomplicatedFirewall

  • Verify versions for AppArmor in $UCT/scripts/dump-features and regenerate Security/Features from $UCT/scripts/dump-features --editmoin

  • use sync-from-versions -r $RELEASE -s not-affected. If satisfy with the result, use sync-from-versions -r $RELEASE -s not-affected -u

Individuals (release)

  • update ~/.ubuntu-security-tools.conf settings for:

    • release_devel is emptied

  • add security-RELEASE and security-proposed-RELEASE sections to ~/.dput.cf (not normally needed if using recommended dput setup)

  • pull infrastructure changes (from above):
    • usn-tool
    • ubuntu-cve-tracker
    • ubuntu-security-tools
    • ubuntu-qa-tools

Devel Opens

Infrastructure (devel)

  • fill in releases, flavor_releases, devel_release and release_names in ubuntu-cve-tracker/scripts/cve_lib.py

  • Move all active CVEs and boilerplates from latest release to devel state:
    • ./scripts/release-cycle-devel-opens $LATEST_STABLE_RELEASE

  • add release to non-ports and ports section of ubuntu-cve-tracker/scripts/packages-mirror

  • update security-tools/build-tools/security-fake-sync for new release (next_release())

  • update graphing scripts on people in ~ubuntu-security/graphing (see ~ubuntu-security/graphing/README for details)

    • supported.data.template has the binary package counts. To update:

      • determine the binary package counts ($packages_mirror is set in ~/.ubuntu-cve-tracker.conf):

        $ cd $packages_mirror ; zcat ./dists/$LATEST_STABLE_RELEASE/main/binary-*/Packages.gz ./dists/$LATEST_STABLE_RELEASE/restricted/binary-*/Packages.gz | grep '^Package:' | sort -u | wc -l
      • take the last line of the file and add it above the commented line in the .template file
      • in the .template file, update the commented out release name to next release and adjust counts for EOL releases
      • in the .template file, add the new release column header name
      • in the .template file, add a 0 column to all lines (except the last uncommented line), making sure everything is sensible for package counts
    • supported-src.data.template:

      • determine the source package counts:

        $ cd $packages_mirror ; zcat ./dists/$LATEST_STABLE_RELEASE/main/source/Sources.gz ./dists/$LATEST_STABLE_RELEASE/restricted/source/Sources.gz | grep '^Package:' | sort -u | wc -l
      • take the last line of the file and add it above the commented line in the .template file
      • in the .template file, update the commented out release name to next release and adjust counts for EOL releases
      • in the .template file, add the new release column header name
      • in the .template file, add a 0 column to all lines (except the last uncommented line), making sure everything is sensible for package counts
    • update.sh REL updated, INDEX incremented by 1 (to match column in the .template files excluding the newly added devel release, since we don't know its package counts yet))

    • add to .bzrignore:

      $NEW_RELEASE-src.data
      $NEW_RELEASE.data
  • update people:~ubuntu-security/.ubuntu-security-tools.conf settings for:

    • release_list gains new release name

    • release_devel gains new release name

  • regenerate Security/Features from $UCT/scripts/dump-features

  • regenerate Security/Features/Historical from $UCT/scripts/dump-features --historical

  • update SecurityTeam/KnowledgeBase/AppArmorProfiles

  • create new release in apparmor-profiles and copy profiles over from previous release
  • Make sure lp:ubuntu-qa-tools/responses/update-bug includes the new release
  • update $QRT/README.testing for new development release
  • update ubuntu-security crontab on people to use the new development release for:
    • work_items.sh
    • create-dashboard.sh

Individuals (devel)

  • Update the following bzr trees:
    • ubuntu-cve-tracker
    • ubuntu-security-tools
    • ubuntu-qa-tools
    • qa-regression-testing
  • update debmirror/apt-cacher lists to include new release
  • update ~/.ubuntu-security-tools.conf settings for:

    • release_list gains new release name

    • release_devel gains new release name

  • build new VMs and schroots for new release (remembering to update 'vm_release_list' in '~/.uqt-vm-tools.conf' (not needed if using uvt))
  • pull infrastructure changes (from above):
    • ubuntu-cve-tracker
  • update your packages mirror with $UCT/scripts/packages-mirror -r $NEW_RELEASE

  • update your partner packages mirror with $UCT/scripts/packages-mirror -p

  • update your sources.list to have the appropriate deb-src lines for the new release (eg use $UST/build-tools/build-sources-list output in /etc/apt/sources.list.d/ubuntu-security.list)

  • [optional] subscribe to $NEW_RELEASE-changes at https://lists.ubuntu.com/mailman/listinfo/$NEW_RELEASE-changes

QA (devel)

For projects where the security team is the upstream maintainer (eg, AppArmor, ufw, ecryptfs):

  • Update the daily build PPA to build for the development release
  • As needed, update the daily build PPA packaging (eg, merge in any changes since the last release)

LTS loses Desktop support

  • generate $UCT/$RELEASE-supported.txt with a list of all the source packages that will get 5 years of support.

  • update $UCT/scripts/cve_lib.py's lts_partial_supported_releases variable to include th LTS.

  • run $UCT/scripts/check-syntax to update all the CVEs to the "ignored" state for the EOL packages.


CategorySecurityTeam

SecurityTeam/ReleaseCycle (last edited 2024-01-29 10:29:06 by ebarretto)