SponsorsQueue
Verification
The ubuntu-security-sponsors team will use the same process as detailed in StableReleaseUpdates.
Testing
Properly test that the package builds and still works. You can refer to QA Regression Testing for scripts and techniques on testing packages.
- Testing might include (but is not limited to) build tests, test suites, Proof of Concepts (PoC), ABI changes, and testing the patched code so that it introduces no regressions.
- If possible, use publicly available exploits and test cases to verify that the bug is fixed
- In all cases, verify that the package still functions properly
DRAFT: Syncs from Debian
For community-supported packages, the security team can perform a fake sync from the Debian security archive if the version in Ubuntu is the same as the base version in Debian. Eg, if package foo in Ubuntu 8.04 LTS is at version 1.0-2, package foo in Debian Lenny also has version 1.0-2, and the DSA for Debian uses 1.0-2+lenny1, this package is suitable for syncing into Ubuntu using a fake sync. Basically, this is a no change rebuild using the version <Debian DSA version>build0.<ubuntu release version>.1. Eg, for the above package, the new version in Ubuntu is 1.0-2+lenny1build0.8.04.1. To ensure smooth upgrades from one Ubuntu release to another, you must be careful about versioning. Use the fake-security-sync tool from the Ubuntu security-tools bzr branch, which will help automate the process and perform various checks. Before publishing, be sure to:
- verify the version is correct
- verify the build went ok
- sanity check the debdiff in Launchpad