ReleaseCycle
How the Security Team interacts with the regular Ubuntu Release Cycle.
Security Updates
pre-feature-freeze
- request syncs for issues fixed in stable releases that are not fixed in the development release, but are fixed in upstream versions.
post-feature-freeze
- request feature-freeze exceptions for upstream security fixes, or push security patches, depending on extent of upstream changes.
post-beta
- focus security updates on any updates still missing from devel release that are present in stable updates (see 'Show all out-of-sync CVEs for the devel release' from $UCT/README for assistance)
add the following to the announcements section of the ubuntu-security weekly meeting: "Ubuntu <version> is scheduled to release in a few weeks. If you are interested, it would be great if people helped make sure that the Ubuntu CVE Tracker is up to date for the devel release (particularly for universe/multiverse packages."
Regression Testing
pre-Alpha 3
- run regression tests when any major changes are noticed
Alpha 3
- run kernel hardening regression tests on multiple architecture/kernel combinations (i386 w/o PAE, i386 w/ PAE, amd64) (test-kernel*.py)
- run gcc hardening regression tests on amd64 and i386 (test-gcc-security.py)
- run glibc hardening regression tests on amd64 and i386 (test-glibc-security.py)
- run other user-space hardening tests (eg PIE) on amd64 and i386 (test-built-binaries.py)
Beta 2
- run kernel hardening regression tests on multiple architecture/kernel combinations (i386 w/o PAE, i386 w/ PAE, amd64) (test-kernel*.py)
- run gcc hardening regression tests on amd64 and i386 (test-gcc-security.py)
- run glibc hardening regression tests on amd64 and i386 (test-glibc-security.py)
- run other user-space hardening tests (eg PIE) on amd64 and i386 (test-built-binaries.py)
- run remaining regression tests from qa-regression-testing, updating the tests or reporting bugs against the package
run test-rng.py --all --report from qa-regression-testing (takes many days, so may want to spread across multiple machines) and put the results in qa-regression-testing/results/test-rng.py/<release number>. This is likely a good use of EC2 (but keep in mind as of 2009/04/27 it costs ~ $100).
run qa-regression-testing/install/get_file_info.sh and review for problems
post-rc1
run install/get_file_info.sh and record results in qa-regression-testing/install/get_file_info_results (see qa-regression-testing/install/README for details). This also needs to be done on the final images
EOL Checklist
Infrastructure (EOL)
- from ubuntu-cve-tracker's README section "End of Life":
mark any active CVEs for that release with an EOL comment: ./scripts/sync-from-eol.py -WUu -r $RELEASE
- add release to 'eol_releases' in scripts/cve_lib.py
- run a CVE retirement cycle
remove release from boilerplates: sed -i "/^<release>_\(.*\): /d" ./active/00boilerplate*
- update ubuntu-cve-tracker/scripts/packages-mirror to lose old release
update architectures to include "EOL" footnote in SecurityTeam/FAQ
regenerate Security/Features from $UCT/scripts/dump-features --editmoin
update people:~ubuntu-security/.ubuntu-security-tools.conf settings for:
- "release_list" loses EOL release name
remove release from $UQT/security-tools/kernel-abi-check
Individuals (EOL)
update ~/.ubuntu-security-tools.conf settings for:
- "release_list" loses EOL release name
update ~/.uqt-vm-tools.conf settings for:
- "vm_release_list" loses EOL release name
- update debmirror/apt-cacher lists to drop old release
- delete VMs and schroots from old release
Release Checklist
Infrastructure (release)
update scripts/cve_lib.py:
add the new release in releases
devel_release is emptied
Add release entry and timestamp to release_stamps. (The time stamp can be generated based of the date stamp of the release file rounded up to the next hour; e.g. echo "(($(date -r /PATH/TO/UBUNTU/ARCHIVE/dists/RELEASE/Release.gpg +%s) / 3600 ) + 1) * 3600" | /usr/bin/bc
- move all active CVEs and boilerplates from "devel" to release state:
./scripts/release-cycle-released $RELEASE
- update usn-tool for publication
update templates/html-drupal.html (add to release_list div, add a new stanza in the 'for each' part of that div, and add a show_binaries entry). This is no longer used by the security team, but might be in landscape (TODO: check).
update templates/email-maria.txt (add a new stanza to the 'affected releases' section, add a show_packages entry, and add a show_release_urls entry). This is no longer used by the security team, but might be in landscape (TODO: check).
update templates/email-new-format.txt (add a new stanza to the 'affected releases' section, add a show_packages entry, add a show_package_description entry, add a show_source_link entry)
pull these changes down on people (this happens automatically, but it will need to happen before a USN publication):
$ cd /home/ubuntu-security/bzr-pulls/usn-tool/ $ sudo -u ubuntu-security bzr pull
update architectures in SecurityTeam/FAQ
update security-tools/build-tools/security-fake-sync for new stable release (ubuntu_version() and next_release())
update people:~ubuntu-security/.ubuntu-security-tools.conf settings for:
release_devel is emptied
add release's kernels to $UQT/security-tools/kernel-abi-check
ask a LOSA to update the usn-website to have a version for the development release. Eg LP: #773627. This can be done via the '/usn/admin' interface.
Individuals (release)
update ~/.ubuntu-security-tools.conf settings for:
release_devel is emptied
add security-RELEASE and security-proposed-RELEASE sections to ~/.dput.cf
- pull infrastructure changes (from above):
- usn-tool
- ubuntu-cve-tracker
- security-tools
Devel Opens
Infrastructure (devel)
fill in releases and devel_release in ubuntu-cve-tools/scripts/cve_lib.py
use $UCT/scripts/release-cycle-devel-opens to update all the active CVEs to have 'devel_'
add release to non-ports and ports section of ubuntu-cve-tools/scripts/packages-mirror
update security-tools/build-tools/security-fake-sync for new release (next_release())
update graphing scripts on people in ~ubuntu-security/graphing
supported.data.template:
copy last line of supported.data to populate the commented out release, and uncomment it
- add the new release column
- add the new devel line, commented out
supported-src.data.template:
copy last line of supported-src.data to populate the commented out release, and uncomment it
- add the new release column
- add the new devel line, commented out
update.sh REL updated, INDEX incremented by 1 (to match column in the .template files)
regenerate Security/Features/Historical from $UCT/scripts/dump-features --historical
update the ubuntu-security graphs on people, following ~ubuntu-security/graphing/README
- create new release in apparmor-profiles and copy profiles over from previous release
Individuals (devel)
- update debmirror/apt-cacher lists to include new release
update ~/.ubuntu-security-tools.conf settings for:
release_list gains new release name
release_devel gains new release name
- build new VMs and schroots for new release
LTS loses Desktop support
generate $UCT/$RELEASE-supported.txt with a list of all the source packages that will get 5 years of support.
update $UCT/scripts/cve_lib.py's lts_partial_supported_releases variable to include th LTS.
run $UCT/scripts/check-syntax to update all the CVEs to the "ignored" state for the EOL packages.