Purpose

The Security Sponsors Queue is used by the ubuntu-security-sponsors team to coordinate sponsored security uploads to an Ubuntu stable release. This queue is for all packages in Ubuntu, but specific to the security pocket of Ubuntu.

Please remember that security fixes should follow the procedure outlined in the Security Update Procedures.

Notes for Contributors

Before subscribing ubuntu-security-sponsors to a bug, please check the following:

  1. Your patch is in debdiff format (for merges and bug fixes) or a diff.gz file(for new upstream revisions).

  2. The patch follows the security team update procedures. Especially:

    • targeted against the security pocket of a stable release
    • uses the correct version
    • mentions a CVE, and preferably a LP bug #.
    • Check your .changes file to make sure that you have the right revision and distribution

  3. All changes in the patch are intentional
    • Review the patch manually. If there are unexpected changes, consider removing them from the patch, either using filterdiff or manually. If you are uncertain, seek advice from #ubuntu-motu, #ubuntu-hardened or your Mentor

  4. Your patch applies cleanly
    • Test your patch by downloading and unpacking the target source, and running patch -p1 < ../patchname.debdiff in the package directory. There should be no errors.

  5. The Status and Assignment are correct
    • The Status should be "New" for sync requests
    • The Status should be "Confirmed" when you have uploaded a debdiff
    • The Assignment should be "Unassigned"
  6. The sponsors will use the status and assignment fields in their communications with you and other groups
    • Please check status and assignment before subscribing again a bug which required some actions (either from you or somebody else)
  7. Please comment on the testing performed.

  8. If all of the above is in order, please subscribe ubuntu-security-sponsors

Notes for Sponsors

Once you have selected a bug, please use the following guidelines for disposition. This process is very similar to the existing MOTU/Sponsorship/SponsorsQueue process, and differs mainly in that ubuntu-security-sponsors remain subscribed to the bug in most situations.

Bug lists for ubuntu-security-sponsors:

All bugs

Sync request bugs

Fake sync requests can be performed when a Debian security update has the same base version as the Ubuntu version (ie, no merge is required). See below for details.

Bugs with debdiffs

Bugs without debdiffs

N.B.: normal bug triage rules still apply. Inappropriate bugs should be invalidated. Already fixed bugs should be updated as Released with the release version, etc.

Notes for Uploaders

The ubuntu-security team is required to upload packages to the security pocket. The team will process uploads for bugs in these lists:

Once it has been published, please update the Ubuntu CVE Tracker with details on what was fixed (and set any bugs related to the upload to "Fix Released" if the changelog did not include a bug reference number).

Syncs

For community-supported packages, it's possible to perfrom a fake sync from the Debian security archive if the version in Ubuntu is the same as the base version in Debian. Eg, if package foo in Ubuntu 8.04 LTS is at version 1.0-2, package foo in Debian Lenny also has version 1.0-2, and the DSA for Debian uses 1.0-2+lenny1, this package is suitable for syncing into Ubuntu using a fake sync. Basically, this is a no change rebuild using the version <Debian DSA version>build0.<ubuntu release version>.1. Eg, for the above package, the new version in Ubuntu is 1.0-2+lenny1build0.8.04.1. To ensure smooth upgrades from one Ubuntu release to another, you must be careful about versioning.

Uploads

If the package is officially supported, it must be reviewed and tested by a member of ubuntu-security.

If the package is community supported and the bug is ACK'd:

If the package is community supported, the bug is ACK'd and has the tag security-verification:

Verification

For packages that were built in the ubuntu-security-proposed ppa and went to -proposed for more testing, the ubuntu-sru team will follow the process as detailed in StableReleaseUpdates. Once marked as verification-done, they can by copied to the -security and -updates pockets.

Bug lists:


CategoryProcess CategorySecurityTeam

SecurityTeam/SponsorsQueue (last edited 2022-01-05 12:22:11 by rodrigo-zaiden)