Code

• UCT: lp:~ubuntu-security/ubuntu-cve-tracker/master
• UQT: lp:~ubuntu-bugcontrol/ubuntu-qa-tools/master
• kteam: git://kernel.ubuntu.com/ubuntu/kteam-tools.git

Workflow

• https://wiki.ubuntu.com/Kernel/kernel-sru-workflow

tracking

• https://bugs.launchpad.net/kernel-sru-workflow/security-signoff/

notification

• $UQT/security-tools/kernel-sru-check

Security Team Duties

per-CVE

• triage
• find fix
• find introduction if possible/easy
• record as lines using "break-fix" in the "Patches_linux:" section

Daily

• UCT merge with kernelteam
• sync UCT to LP and back
  • see end of $UCT/README for definition of desired state changes

  • bzr update

  • ./scripts/process_cves merge

  • ./scripts/sync-bugs-kernel.py --skip-search --confirm-update

• sync UCT to USNs (for any CVEs that have changed state, been revoked, etc)

per-proposed-package

• (part of the kernel update workflow)

• validate CVEs for USN publication: $UCT/scripts/prepare-kernel-update -n REL SRC

• mark workflow item "Fix Released"

per-released-package

• (part of the kernel update workflow)

• publish USN for real: $UCT/scripts/prepare-kernel-update -u REL SRC