Ubuntu Wiki

How the Security Team interacts with the regular Ubuntu Release Cycle.

Security Updates

pre-feature-freeze

• request syncs for issues fixed in stable releases that are not fixed in the development release, but are fixed in upstream versions.

post-feature-freeze

• request feature-freeze exceptions for upstream security fixes, or push security patches, depending on extent of upstream changes.

post-beta

• focus security updates on any updates still missing from devel release that are present in stable updates

Regression Testing

pre-alpha 6

• run regression tests when any major changes are noticed

between alpha 6 and beta

• run regression tests on at least kernel and glibc security protections on multiple architecture/kernel combinations (i386 w/o PAE, i386 w/ PAE, amd64).

post-beta

• run full set of existing regression tests and get them either updated or real bugs fixed

• run test-rng.py --all --report from qa-regression-testing (takes many days, so may want to spread across multiple machines) and put the results in qa-regression-testing/results/test-rng.py/<release number>. This is likely a good use of EC2 (but keep in mind as of 2009/04/27 it costs ~ $100).

• run qa-regression-testing/install/get_file_info.sh and see if any problems

post-rc1

• run install/get_file_info.sh and record results in qa-regression-testing/install/get_file_info_results (see qa-regression-testing/install/README for details). This also needs to be done on the final images

EOL Checklist

Infrastructure

• from ubuntu-cve-tracker's README section "End of Life":
  • add release to 'eol_releases' in scripts/cve_lib.py

  • mark any active CVEs for that release with an EOL comment: ./scripts/sync-from-eol.py -WUu -r $RELEASE

  • run a CVE retirement cycle

  • remove release from boilerplates: sed -i "/^<release>_\(.*\): /d" ./active/00boilerplate*

• make sure MoM is updated for -security pockets according to EndOfLifeProcess

• update ubuntu-cve-tools/scripts/packages-mirror to lose old release

• update architectures in SecurityTeam/FAQ

• regenerate Security/Features from $UCT/scripts/dump-features

Individuals

• update ~/.ubuntu-security-tools.conf settings for:
  • "release_list" loses EOL release name
• update debmirror/apt-cacher lists to drop old release
• delete VMs and schroots from old release

Release Checklist

Infrastructure

• update scripts/sis-generate-usn to have the new release in releasemap

• update scripts/sis-changes to have the new release in releases

• update scripts/cve_lib.py:

  • devel_release is emptied

  • Add release entry and timestamp to release_stamps. (The time stamp can be generated based of the date stamp of the release file rounded up to the next hour; e.g. echo "(($(date -r  /PATH/TO/UBUNTU/ARCHIVE/dists/RELEASE/Release.gpg +%s) / 3600 ) + 1) * 3600" | /usr/bin/bc

• move all active CVEs and boilerplates from "devel" to release state:

  • ./scripts/release-cycle-released $RELEASE

• update usn-tool for publication

  • update templates/html-drupal.html (add to release_list div, add a new stanza in the 'for each' part of that div, and add a show_binaries entry). This is no longer used by the security team, but might be in landscape (TODO: check).

  • update templates/email-maria.txt (add a new stanza to the 'affected releases' section, add a show_packages entry, and add a show_release_urls entry). This is no longer used by the security team, but might be in landscape (TODO: check).

  • update templates/email-new-format.txt (add a new stanza to the 'affected releases' section, add a show_packages entry, add a show_package_description entry, add a show_source_link entry, add a show_packages entry)

  • pull these changes down on people (this happens automatically, but it will need to happen before a USN publication):

    $ cd /home/ubuntu-security/bzr-pulls/usn-tool/
    $ sudo -u ubuntu-security bzr pull

• update architectures in SecurityTeam/FAQ

• update security-tools/build-tools/security-fake-sync for new stable release (ubuntu_version())

Individuals

• update ~/.ubuntu-security-tools.conf settings for:

  • release_devel is emptied

• add security-RELEASE and security-proposed-RELEASE sections to ~/.dput.cf

Devel Opens

Infrastructure

• fill in releases and devel_release in ubuntu-cve-tools/scripts/cve_lib.py

• add release to non-ports and ports section of ubuntu-cve-tools/scripts/packages-mirror

• update security-tools/build-tools/security-fake-sync for new release (next_release())

• update graphing scripts on people in ~ubuntu-security/graphing

  • supported.data.template:

    • copy last line of supported.data to populate the commented out release, and uncomment it

    • add the new release column
    • add the new devel line, commented out

  • supported-src.data.template:

    • copy last line of supported-src.data to populate the commented out release, and uncomment it

    • add the new release column
    • add the new devel line, commented out

  • update.sh REL updated, INDEX incremented by 1 (to match column in the .template files)

• regenerate Security/Features/Historical from $UCT/scripts/dump-features --historical

Individuals

• update debmirror/apt-cacher lists to include new release

• update ~/.ubuntu-security-tools.conf settings for:

  • release_list gains new release name

  • release_devel gains new release name

• build new VMs and schroots for new release

CategorySecurityTeam