UpdatePublication

Revision 6 as of 2009-08-12 22:08:48

Clear message

While handling a security update, one must prepare the upload, then follow these steps to publish.

Publishing an Update to Soyuz

Upload/Build/Publish

  1. Prepare your local configuration

  2. Set the name of the source package being updated: export SRCPKG="srcpkg1 srcpkg2..."

  3. Upload the updated source packages via dput to each release's Security PPA target. Notification about failed builds should be automatically sent to security@ubuntu.com.

  4. Wait for the finished builds on all supported architectures to finish and appear at the Ubuntu Security PPA: $UCT/scripts/sis-changes --action check-build $SRCPKG

  5. Unembargo by copying the packages into the archive accepted queue with: $UST/launchpadlib/unembargo $SRCPKG

Announce Publication

(for main/restricted publications)

  1. Assign a USN (format is NNN-S, and the following instructions assume $USN has been set as desired):

    1. For a new issue, run: USN=$(ssh rookery.canonical.com "~ubuntu-security/bin/get-next-usn")

    2. For an old issue that needs correction or continuation, start with the issue's original USN, keep NNN and increase S. (e.g. original issue was 42-1, updated USN will be 42-2).

    3. For a new issue that affects different software with identical CVEs, get a new USN normally for the first source package, and then keep NNN and increase S for each additional source package. (e.g. CVE-2008-1693 affected both poppler and koffice, so 603-1 was used for poppler and 603-2 was used for koffice). Please note that different versions of the same software (e.g. emacs21 and emacs22) should not do this, but instead use a single USN with S=1.

  2. To create the USN template script, run: $UCT/scripts/sis-changes --download /tmp/pending $SRCPKG && cd /tmp/pending && $UCT/scripts/sis-generate-usn $USN *.changes > ~/new-usn.sh

  3. Edit ~/new-usn.sh to include a correct title, summary, action, description, and then limit the binary list to only those affected by the USN. Leave all URLs as-is. Have the description proofread by somebody else.

  4. To populate the USN database with the new USN details and generate the template email (sent to security@ubuntu.com), run: bash ~/new-usn.sh

  5. Wait until the packages are actually mirrored to the archive; the publisher runs hourly at :03, and updates should usually appear on security.ubuntu.com within 20-40 minutes, depending on the size and number of binary packages. (Note 0403 UTC publication run is skipped due to the Contents generation job.) To verify that the packages have arrived, run: ssh rookery.canonical.com "~ubuntu-security/bin/check-upload $USN"

  6. Once packages are in the archive, GPG sign and send the USN email to ubuntu-security-announce@lists.ubuntu.com; CC bugtraq@securityfocus.com and full-disclosure@lists.grok.org.uk with a Reply-to: header set as Ubuntu Security <security@ubuntu.com>.

  7. Approve the USN mail on https://lists.ubuntu.com/mailman/admindb/ubuntu-security-announce. Ensure to reject duplicate mails from you (some list subscribers bounce mails back unmodified). Verify it went through in https://lists.ubuntu.com/archives/ubuntu-security-announce/.

  8. Create a new USN page for this USN via https://www-admin.ubuntu.com/. Copy&paste the USN email text, but without the file list, wrapped in a "div class=usn" tag, include the cve file path, and a list of all the CVEs.

  9. Copy the updated USN database by running: ssh rookery.canonical.com "~ubuntu-security/bin/push-usn-db"

  10. For large updates (OOo, firefox, kernel, kdebase), ping an archive admin about doing a pocket-copy from -security to -updates to help reduce the load on security.archive.com. (ssh forced-command needed!)

  11. Check for any outstanding LP bugs tied to the CVEs that are resolved with the USN. https://bugs.launchpad.net/bugs/cve/YYYY-NNNN

  12. Delete SRCPKG from Security PPA.

Editing a Published USN

  1. Edit the page for this USN via https://www-admin.ubuntu.com/.

  2. Update the USN database with ssh -t rookery.canonical.com ~ubuntu-security/bin/edit-usn NNN-S, where NNN-S corresponds to the edited USN, eg 582-2.

  3. Copy the updated USN database by running: ssh rookery.canonical.com "~ubuntu-security/bin/push-usn-db"

Local Configuration

  1. Make sure ~/.ubuntu-cve-tracker.conf is fully configured (see the u-c-t README), and set the path to the ubuntu-cve-tracker bzr tree check-out: UCT=/path/to/ubuntu-cve-tracker

  2. Set up ~/.dput.cf with the appropriate Security PPA upload entries: 

    • [security-dapper]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/dapper
login = anonymous

[security-gutsy]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/gutsy
login = anonymous

[security-hardy]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/hardy
login = anonymous

[security-intrepid]
fqdn = ppa.launchpad.net
incoming = ~ubuntu-security/ubuntu/intrepid
login = anonymous

DAK

DAK has been superseded by Soyuz. The old process can be seen in SecurityUpdateProceduresDAK.

CategorySecurityTeam CategoryProcess