StableReleaseUpdates

Differences between revisions 203 and 205 (spanning 2 versions)

Contents

Useful runes
1. reprocess-failed-to-move
2. Reprocessing failed source uploads
Stable release updates
1. langpack SRUs
Other archives
Useful web pages
Chroot management
Archive administration shifts
Archive Administration and Freezes
OEM metapackages

Once an Ubuntu release has been completed and published, updates for it are only released under certain circumstances, and must follow a special procedure called a "stable release update" or SRU.

There is an automatically generated list of packages which are currently undergoing this process.

$Warning /!\$ Did you notice a regression in a package which went to -updates? Please report this using these steps.

1. Why

In contrast to pre-release versions, official releases of Ubuntu are subject to much wider use, and by a different demographic of users. During development, changes to the distribution primarily affect developers, early adopters and other advanced users, all of whom have elected to use pre-release software at their own risk.

Users of the official release, in contrast, expect a high degree of stability. They use their Ubuntu system for their day-to-day work, and problems they experience with it can be extremely disruptive. Many of them are less experienced with Ubuntu and with Linux, and expect a reliable system which does not require their intervention.

Stable release updates are automatically recommended to a very large number of users, and so it is critically important to treat them with great caution. Therefore, when updates are proposed, they must be accompanied by a strong rationale and present a low risk of regressions.

"It's just a one-line change!"

Even the simplest of changes can cause unexpected regressions due to lurking problems:

In bug 81125, the upgrade regression had nothing to do with the content of the change that triggered it: any user who had installed the libpthread20 package would encounter a problem the next time libc6 was upgraded.
In bug 309674, the failure was a misbuild due to timestamp skew in the build process. The underlying problem existed in the source package in the original release, but would only manifest in a small percentage of builds.
In bug 559822, a C++ library (wxwidgets2.8) was uploaded with no code changes. Due to an underlying toolchain change/bug, this caused an ABI change, causing a lot of unrelated packages to break (see bug 610975)

We never assume that any change, no matter how obvious, is completely free of regression risk.

2. When

Stable release updates will, in general, only be issued in order to fix high-impact bugs. Examples of such bugs include:

Bugs which may, under realistic circumstances, directly cause a security vulnerability. These are done by the security team and are documented at SecurityTeam/UpdateProcedures.
Bugs which represent severe regressions from the previous release of Ubuntu. This includes packages which are totally unusable, like being uninstallable or crashing on startup.
Bugs which may, under realistic circumstances, directly cause a loss of user data
Bugs which do not fit under above categories, but (1) have an obviously safe patch and (2) affect an application rather than critical infrastructure packages (like X.org or the kernel).
For Long Term Support releases we regularly want to enable new hardware. Such changes are appropriate provided that we can ensure not to affect upgrades on existing hardware. For example, modaliases of newly introduced drivers must not overlap with previously shipped drivers.
New versions of commercial software in the Canonical partner archive.
FTBFS(Fails To Build From Source) can also be considered. Please note that in main the release process ensures that there are no binaries which are not built from a current source. Usually those bugs should only be SRUed in conjunction with another bug fix.

For new upstream versions of packages which provide new features, but don't fix critical bugs, a backport should be requested instead.

3. Procedure

Check that the bug is fixed in the current development release, and that its bug task is "Fix Released". It is, in general, not appropriate to release bug fixes for stable systems without first testing them in the current development branch.
Ensure that the bug report for this issue is public. If the bug has been reported privately and cannot be published, you must first create a separate public bug report in launchpad and copy over as much information as can be published.
Update the bug report description and make sure it contains the following information:
1. An explanation of the bug on users and justification for backporting the fix to the stable release. This may be preceded with an [Impact] header, but this is not required. In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug.
2. A [Test Case] section with detailed instructions how to reproduce the bug. These should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem.
3. A [Regression Potential] section with a discussion of how regressions are most likely to manifest as a result of this change. It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what could happen in the event of a regression. This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU.
Ask a bug supervisor to target the bug to the appropriate Ubuntu releases (e. g. the current LTS and latest stable release), then subscribe the team ubuntu-sru to your bug report.
Upload the fixed package to release-proposed with the patch in the bug report, a detailed and user-readable changelog, and no other unrelated changes. After upload, the bug status should be changed to In Progress, once accepted into release-proposed, the status will be automatically changed to Fix Committed. Also, make sure that:
1. The version number does not conflict with any later and future version in other Ubuntu releases (the security policy document has a well-working scheme which can be used for SRUs.)
2. There is a reference to the SRU bug number in the changelog, using the 'LP: #NNNNNN' convention. Only public bugs should be referenced in the changelog. If you can't upload to the archive yourself, get a sponsor, attach a debdiff to the bug and subscribe ubuntu-sponsors, as usual. There is no need to wait before uploading.
The ~ubuntu-sru team will review and approve then the archive admins will accept your upload. You can then test the actual binaries in the Ubuntu archive yourself and follow up in the bug report regarding your verification of the bug. The SRU team will evaluate the testing feedback and they will move the package into -updates after it has passed a minimum aging period of 7 days.
Subscribe yourself to bugmail for the package in Launchpad, if you haven't done so already, and monitor Launchpad for bug reports relating to the update for at least one week.
Any regression must always be documented in a bug report, which must be Importance: critical once the regression has been confirmed.

3.1. SRU Bug Template

[Impact] 

 * An explanation of the of the bug on users and

 * justification for backporting the fix to the stable release.

 * In addition, it is helpful, but not required, to include an
   explanation of how the upload fixes this bug.

[Test Case]

 * detailed instructions how to reproduce the bug

 * these should allow someone who is not familiar with the affected
   package to reproduce the bug and verify that the updated package fixes
   the problem.

[Regression Potential] 

 * discussion of how regressions are most likely to manifest as a result of this change. 

 * It is assumed that any SRU candidate patch is well-tested before
   upload and has a low overall risk of regression, but it's important
   to make the effort to think about what ''could'' happen in the
   event of a regression.

 * This both shows the SRU team that the risks have been considered,
   and provides guidance to testers in regression-testing the SRU.

[Other Info]
 
 * Anything else you think is useful to include
 * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
 * and address these questions in advance

4. Publishing

Once a fix has been validated, please work with the Stable Release Update (SRU) Team to ensure its published to -updates. Vanguards from the SRU team can be found in #ubuntu-release on the following schedule:

Day	SRU Team Member (IRC nick)
Monday	Adam Conrad (infinity)
Tuesday	Chris Halse Rogers (RAOF)
Wednesday	Clint Byrum (SpamapS)
Thursday	Brian Murray (bdmurray)
Friday	Steve Langasek (slangasek)
Ad hoc	Scott Kitterman (ScottK), Kate Stewart (skaet)

5. Fixing several bugs in one upload

Please avoid creating meta-bugs like "Please SRU this". They just create redundancy and are opaque to original bug reporters, whose feedback is valuable for verification, so these bugs will generally be invalidated by the SRU team. Just prepare all fixed bugs as described above, and either

attach the complete patch/debdiff to one bug and point to it in the other bugs ("debdiff which fixes this is attached to bug #xxxxxx")

attach individual patches to the corresponding bug reports. If you have the fixes in bzr, it is even easier and more convenient to give a pointer to the fix ("fixed in http://bazaar.launchpad.net/.../revision/12") when fixing the bug in trunk.

6. New upstream microreleases

In some cases, when upstream fixes bugs, they do a new microrelease instead of just sending patches. If all of the changes are appropriate for an SRU by the criteria above, then it is acceptable (and usually easier) to just upload the complete new upstream microrelease instead of backporting the individual patches. Note that some noise introduced by autoreconf is okay, but making structural changes to the build system (such as introducing new library dependencies) is generally not.

If a new upstream release has more intrusive changes, you need to request an exception from the Technical Board, especially if you are going to upload the package with non-SRU changes multiple times in the future. Please see special cases below.

7. Verification

The SRU verification team will regularly check open bugs with the verification-needed tag and test proposed updates on different hardware to check for inadvertent side effects. Verification must be done in a software environment as close as is feasible to that which will exist after the package is copied to *-updates. Generally this will be with a system that is up to date from *-release, *-security, and *-updates, but not with other packages from *-proposed (except other packages built from the affected source package - they must be updated if generally installed) or *-backports.

If they discover that your fix is insufficient, or the test case is not sufficient to reproduce the bug, they will:

Set the bug task to Status: In Progress
Describe why the fix was rejected in a comment to the bug report.
Modify the verification-needed tag to a verification-failed tag on the bug report.

The SRU verification team may also discover that your fix is good. They will:

Modify the verification-needed tag to a verification-done tag on the bug report.
Describe the general steps taken to verify the package, any special difficulties, and the recommended upload date.

While not ideal it is also possible for the uploader of the fix to perform the verification of the package in *-proposed, however it must still be done in a software environment as close as is feasible to that which will exist after the package is copied to *-updates.

Verification feedback from bug reporters and subscribers is greatly appreciated, too, especially if the update is hardware specific. In this case we consider an update as verified if it has at least two positive, no negative testimonials in the bug report, and the verification team just checks whether the new version still works for the main use cases (to check for major regressions).

If you encounter a regression in a package that has been uploaded to *-proposed, please:

File a bug report against the package, describing the nature of the regression you have encountered, including any special steps needed to reproduce the regression.
Mark this bug with the tag regression-proposed
Ask a bug supervisor to target the bug to the appropriate Ubuntu releases.
Follow up to the SRU bug report referenced from the package changelog, pointing to the new bug. If there is more than one bug in the SRU changelog, follow up to the bug that is most closely related to the regression.
Set the verification-failed tag on the corresponding SRU bug report.

If you want to help us to verify Stable Release Updates then read how to perform a Stable Release Update verification

Verification Notes

There is a standing agenda item for the SRU & LTS meeting to make sure all stakeholders are able to raise issues as early as possible.
Ensure all critical and high importance bugs are verified in a timely manner. If not, the SRU QA Engineer will perform the testing.
The SRU QA Engineer will specifically ask at the SRU & LTS meeting if there are specific bugs that need verification that aren't being done by the bug reporter. If necessary, a QA team member will do the verification. If not able (e.g. lack of specific HW), will do more calls for testing and nag the bug reporter again.
If necessary, the QA team will set up separate SRU verification program, for big packages like eglibc, python, X.

8. Removal of updates

If a bug fixed by an update does not get any testing/verification feedback for 90 days an automated call for testing comment will be made on the bug report. In the event that there is still no testing after an additional 15 days, that's a total of 105 days without any testing, the Stable Release Managers will remove the package from -proposed and usually close the bug task as "Won't Fix", due to lack of interest. Removal will happen immediately if a package update in -proposed is found to introduce a nontrivial regression.

9. Regressions

If a package update introduces a regression which already made it through the verification process to -updates, please immediately join #ubuntu-devel on Freenode, send the message "!regression-alert" on its own, and then describe the problem. Eg:

16:33 < you> !regression-alert
16:33 < ubottu> ... <automated response> ...
16:33 < you> bug #... <your explanation>

Please include the package name and a relevant bug number if possible. If you cannot join IRC, please follow up on one of the relevant bugs (see changelog).

If the regression only applies to the package in -proposed, please follow up to the bug with a detailed explanation, and tag the bug with regression-proposed.

9.1. Testing for Regressions

To minimise the risk of regressions being introduced via a SRU, testing will be perform by Canonical on each proposed kernel.

Depth Regression testing will be performed by the Ubuntu Platform QA team on minimal set of HW that represents the different flavours of Ubuntu Editions and Architectures. This activity will focus on verifying that hw-independent regressions have not been introduced.

Breadth hardware testing will be performed by the HW Certification team on release-certified HW. The test will verify that the proposed kernel can be successfully installed on the latest (point) release, network access is functional, and no other functionality is missing that will enable Update Manager to work correctly.

10. Special Cases

The Technical Board resolution on Landscape provides a general rationale for the types of special cases that may be approved here in future.

10.1. New micro releases

For some packages it is acceptable to upload new upstream microreleases to stable Ubuntu releases. See /MicroReleaseExceptions for details.

10.2. Kernel

Because of the way updates to the kernel work, it will follow a slightly different process which is described on KernelTeam/KernelUpdates.

10.3. app-install-data-commercial

The app-install-data-commercial source package may be uploaded to add .desktop files for new packages in the commercial repository on archive.canonical.com. This does not require prior approval, and the aging requirement is waived; but it must still go through -proposed, a bug report must still be filed with testing instructions (its enough to add the new apps so that the tester can try to install them and verify that this works), and testing must still be recorded in the bug report.

(This section is based on discussions between MichaelVogt and ColinWatson)

10.4. Landscape

The landscape-client source package may be uploaded according to the procedure documented in LandscapeUpdates. See the Technical Board resolution for details and rationale.

10.5. tzdata

The tzdata package is updated to reflect changes in timezones or daylight saving policies. The verification is done with the "zdump" utility. The first timezone that gets changed in the updated package is dumped with "zdump -v $region/$timezone_that_changed" (this needed to be greped for in /usr/share/zoneinfo/). This is compared to the same output after the updated package got installed. If those are different the verification is considered done.

Because tzdata's packaging has changed subtly from release to release, rather than just backporting the most recent release's source package, we update the upstream tarball instead, following this procedure:

For the releases other than hardy, the process is simple:

cd $(old source dir)
uupdate -v 2012e ../tzdata_2012e.orig.tar.gz
cd ../tzdata-2012e

For hardy, you need to repack the sources for the old source format version that was in use:

mkdir tzdata-2012e~repack
cp tzdata_2012e.orig.tar.gz tzdata-2012e~repack/tzdata2012e.tar.gz
tar -czvf tzdata_2012e~repack.orig.tar.gz tzdata-2012e~repack/ && rm -r tzdata-2012e~repack/
cd $(old source dir)
uupdate -v 2012e~repack ../tzdata_2012e~repack.orig.tar.gz
cd ../tzdata-2012e~repack

In both cases, you then need to edit debian/changelog to add bug closures, and make sure to use a version number consistent to the previous numbering scheme (2012e~repack-0ubuntu0.8.04 or 2012e-0ubuntu0.12.04 in the above examples).

10.6. udev keymaps

udev ships a set of rules and keyboard maps which provide correct hotkey assignments for individual laptop and USB hardware, and fixes "stuck" keys on buggy BIOSes. Those maps can be backported to the current LTS release(s). After one week of maturing in -proposed and no regression bug reports it can be moved to -updates.

10.7. media-player-info

The media-player-info package ships udev rules to identify USB music players as such, to provide tight desktop integration. It is an architecture: all textual data-only package which has a very low regression potential. Newer versions can be backported to the current LTS release(s). After one week of maturing in -proposed and no regression bug reports it can be moved to -updates.

10.8. mobile-broadband-provider-info

Whenever there are significant changes, a new version is uploaded into the current development release and all stable releases from 8.10 on. After one week of maturing in -proposed and no regression bug reports it can be moved to -updates.

10.9. clamav and rdepends

Due to the special evolving nature of anti-virus requirements and the complexity of maintaining security fixes for multiple releases, we will work to keep clamav current on all supported releases. See ClamavUpdates for details.

10.10. sun-java*

Ubuntu 9.04 and later include an officially tested and certified JDK called OpenJDK. Prior to Ubuntu 9.04, the only officially tested and certified JDKs were sun-java5 and sun-java6. These are binary-only packages shipped in multiverse.

To support users of 8.04 LTS who do not have access to the free OpenJDK, new upstream microreleases of sun-java5 and sun-java6 can be provided in -updates without checking individual changes for above SRU criteria for as long as Sun/Oracle provides updates. Verification just needs to prove that the packages still upgrade/install for users, and that Java applications and browser applets still run, using the packages from hardy-proposed.

Other users are recommended to upgrade to at least 9.04 and use the supported OpenJDK.

When upstream discontinues maintenance for a version of a sun-java* package (e.g. sun-java5), no more updates will be provided for that package. An announcement should be made to the ubuntu-devel-announce mailing list regarding the discontinued support of the affected package.

11. Examples

As a reference, see bug #173082 for an idea of how the SRU process works for a main package, or bug #208666 for an SRU in universe.

12. Links

Bugs in different stages of the stable release process: http://people.canonical.com/~ubuntu-archive/pending-sru

This page has an "Upload queue status" section which links to all stable review queues.

13. Reviewing procedure and tools

If you are a member of the SRU reviewing team, you should check out the ubuntu-archive-tools scripts with

```
 bzr branch lp:ubuntu-archive-tools
```

which greatly simplify the reviewing procedure. You should symlink queuediff and sru-accept.py somewhere to your ~/bin/ directory for easy access, or put the checkout into your $PATH.

The following review procedure is recommended:

Open the unapproved queue for a particular release, e. g. https://launchpad.net/ubuntu/precise/+queue?queue_state=1 for precise. This shows the list of SRU uploads which have to be reviewed, commented on, and approved/accepted/rejected.
For each package, generate the debdiff to the current version in the archive and open the corresponding bugs:
```
 queuediff -b -s precise ubiquity | view -
 queuediff -b -s precise-updates linux-firmware | view -
```
-s specifies the pocket to compare against, and -b opens all the bugs which are mentioned in the .changes file in the browser. This will generate a debdiff between the current archive and the unapproved upload (unless the orig.tar.gz changes this will only download the two diff.gz, so it is reasonably fast).
Review the bugs for complete description, justification, check that they have a stable task, are conformant to SRU rules, etc, and comment accordingly.
Scrutinize the debdiff for matching the changes in the bugs, not having unrelated changes, etc. If you have doubts, comment on the bug.
If you are an archive administrator:
- If the bugs and debdiff are okay, accept the package from the +queue page, and run
```
 sru-accept -s precise -p ubiquity 12345 23456
```
  This will tag the bug with verification-needed, subscribe ubuntu-sru, and add a general "please test and give feedback"-like comment. If you used queuediff, that will already have generated a suitable sru-accept command, which you just need to copy and run.
- If the upload is broken or unsuitable for an SRU, reject it from the +queue page, and comment on the bug.
If you are not an archive administrator: Send a follow up comment to the bugs:
- If all is okay: send an "ubuntu-sru approved and reviewed" comment and set the task to "In Progress"
- If something is wrong: send the feedback to the bug and set the task to "Incomplete"

The pending SRUs should also be reviewed see whether or not there are any to be released or removed from the archive. The process for deailing with these follows:

Include: Nothing found for "^*"!

Packages in -proposed can be moved to -updates once they are approved by someone from sru-verification, and have passed the minimum aging period of 7 days. Use the sru-release script from ubuntu-archive-tools for this:

```
$ ./sru-release xenial kdebase
```

Please see --help, you can also use this tool to copy packages to -security and to the current development release. N.B. before copying a package to -security ping a member of the ubuntu-security team.

Currently pending SRUs

14. Publishing security uploads from the ubuntu-security private PPA

Security uploads in Soyuz are first built, published, and tested in the Security Team's private PPA. To unembargo them, the security team use a tool that re-publishes them to the primary archive. This is now self-service, although you may occasionally be asked to adjust overrides, which can be done in the usual way.

15. Publishing packages from the ubuntu-mozilla-security public PPA

Mozilla (ie, firefox and thunderbird) uploads in Soyuz are first built, published, and tested in the Mozilla Security Team's public PPA. To publish them into the main archive, use copy-package from ubuntu-archive-tools. Note that pocket copies to the security pocket should never be done without an explicit request from a member of the Ubuntu Security Team (Mozilla Security Team is not enough), and copies to the proposed pocket should not be done without an explicit request from a member of the SRU Team. Keep in mind that firefox 2.0 and later (ie hardy and later) will always have a corresponding xulrunner package that needs copying.

To publish firefox version 22.0+build2-0ubuntu0.12.04.2 from the ubuntu-mozilla-security PPA to the -security pocket of ubuntu's precise release, you would do the following:

$ ./copy-package -b --from=~ubuntu-mozilla-security/ubuntu/ppa -s precise --to=ubuntu --to-suite precise-security -e 22.0+build2-0ubuntu0.12.04.2 firefox

Alternatively, can use lp:ubuntu-qa-tools/security-tools/unembargo like so:

$ unembargo --ppa=ubuntu-mozilla-security -r xenial --pocket=proposed chromium-browser

16. Publishing packages from the ubuntu-security-proposed public PPA to proposed

This works the same as the ubuntu-mozilla-security PPA, above. Eg, using lp:ubuntu-qa-tools/security-tools/unembargo:

$ unembargo --ppa=ubuntu-security-proposed -r xenial --pocket=proposed gnupg

17. Copying PPA kernels to proposed

With the new StableReleaseCadence, kernels are built in the kernel team PPA and then pocket copied to the proposed pocket in the main archive once they are ACKd.

The two most useful URLs for this process are the Kernel SRU Report, where you will find links to the tracking bugs (the magnifying glasses), as well as the status of each package in each release, and the Kernel SRU workflow, which outlines in fine detail how each bug task should be handled, what the states mean, etc. The executive summary of the previous link is "only operate on tasks assigned to your team, and only when they're in the Comfirmed state, and when you do, please reassign to yourself and set the task to Fix Released when you're done".

The Pending SRU report has a section for the kernel PPA which shows all newer kernels in the PPA, provides clickable links to open all bugs (with separate CVE bugs), and copy&pasteable copy-proposed-kernel and sru-accept commands (both in ubuntu-archive-tools). To publish linux version 2.6.32-27.49 from the canonical-kernel-team PPA to the -proposed pocket of ubuntu's lucid release, you would do the following:

Click on the "open bugs" button and check that the bugs are in a reasonable state, i. e. they target the right source package (linux vs. linux-ec2 etc.), are fixed in the development release (or at least upstream), and that the changes are limited to bug fixes, and are in general within the boundaries of the StableReleaseUpdates policy. They should ideally have a task for the stable release the SRU targets. Note that this button does not open CVE bugs, as they don't get verification or other tracking (there is a separate button for opening them, if desired).
Find the tracking bug by either traversing through the list of bugs, or opening the .changes file and looking at the top (the release bug is pointed out there). Ensure that there is a proper stable task, and that the main (development release) task is invalid.
Run the copy-proposed-kernel command to copy it to -proposed. Once the kernels are copied to proposed and accepted, update the bug to close the Promote-to-proposed task and assign it to yourself.
However, with some flavours like -ec2 or armel kernels, which are mostly just a merge with the main linux kernel, it is too much overhead to add -ec2 tasks to all the bugs.
Due to current limitations of Launchpad, new packages copied from a PPA into the archive sometimes go to 'universe'. As a result, please verify the overrides for all packages copied to -proposed, otherwise these packages might become uninstallable when they are ultimately copied to -updates/-security. find-bin-overrides from lp:ubuntu-qa-tools can help with this. You use it like so: find-bin-overrides <pocket to compare to> <target pocket> <ubuntu release> <source package>=<version in pocket to compare to>,<old abi>,<new abi>. Eg, suppose there is a new kernel in hardy-proposed with a new ABI of 2.6.24-30 and you want to get a list of overrides for the new kernel based on the old ABI of 2.6.24-16 in the 2.6.24.12-16.34 version from the release pocket of hardy. For the linux-restricted-modules-2.6.24 source package, you might use:
```
$ find-bin-overrides release proposed hardy \
linux-restricted-modules-2.6.24=2.6.24.12-16.34,2.6.24-16,2.6.24-30
# hardy/linux-restricted-modules-2.6.24
./change-override -c multiverse -s hardy-proposed fglrx-kernel-source ...
./change-override -c restricted -s hardy-proposed avm-fritz-firmware-2.6.24-30 ...
```
For the linux source package, you might use:
```
$ find-bin-overrides release proposed hardy linux=2.6.24-16.30,2.6.24-16,2.6.24-30
# hardy/linux
...
```
You may also specify --show-main to also show the the change-override command to move things to main. This can be useful if you know the overrides are very wrong. See find-bin-overrides -h for details.

TODO: A process/script similar to kernel-overrides should be developed to make sure overrides are properly handled for binaries not in main. Is find-bin-overrides from lp:ubuntu-qa-tools good enough?

18. Copying security uploads to updates

Security uploads are distributed from a single system, security.ubuntu.com (consisting of one or a small number of machines in the Canonical datacentre). While this ensures much quicker distribution of security updates than is possible from a mirror network, it places a very high load on the machines serving security.ubuntu.com, as well as inflating Canonical's bandwidth expenses very substantially. Every new installation of a stable release of Ubuntu is likely to be shortly followed by downloading all security updates to date, which is a significant ongoing cost.

To mitigate this, we periodically copy security uploads to the -updates pocket, which is distributed via the regular mirror network. (In fact, the pooled packages associated with -security are mirrored too, but mirrored -security entries are not in the default /etc/apt/sources.list to avoid causing even more HTTP requests on every apt-get update.) This is a cheap operation, and has no effect on the timely distribution of security updates, other than to reduce the load on central systems.

The copy-report tool lists all security uploads that need to be copied to -updates. If the package in question is not already in -updates, it can be copied without further checks. Otherwise, copy-report will extract the changelogs (which may take a little while) and confirm that the package in -security is a descendant of the package in -updates. If that is not the case, it will report that the package needs to be merged by hand.

The output of the tool looks like this:

$ ./copy-report
The following packages can be copied safely:
--------------------------------------------

copy-package -y -b -s feisty-security --to-suite feisty-updates -e 8.3.5-6ubuntu2.1 tk8.3
copy-package -y -b -s feisty-security --to-suite feisty-updates -e 8.4.14-0ubuntu2.1 tk8.4

The block of output under "The following packages can be copied safely:" may be copied and pasted in its entirety (or run copy-report --safe). If there is a block headed "The following packages need to be merged by hand:", then make sure that the security team is aware of those cases.

Note that copy-report --safe is run from a cron job as the ubuntu-archive user on ubuntu-archive-toolbox, and so does not typically need to be run by hand.

19. Other copies

copy-package is a versatile tool and can be used for a number of other purposes. If you are doing something not documented here, please ask on #ubuntu-release first.

Archive administrators technically (as in, per the ACLs) have the ability to copy into the RELEASE pocket of the current development series. Please do not do this; that pocket is owned by the proposed-migration tools, and those tools have built-in override facilities for the cases where they are wrong. The release team has access to apply such overrides when needed.

20. Handling updates to partner

Updates to the partner archive follow a similar process as packages in the Ubuntu archive. Specifically, packages are first built in the proposed pocket, then they need to be copied to the release pocket after they are built and then cleaned up from the proposed pocket. The process is (examples show adobe-flashplugin being updated for xenial):

Review the package in the "unapproved" queue, and if appropriate, accept the package into partner for the proposed pocket (in this example, proposed for xenial)

When the package builds on all architectures, copy it to the partner release pocket (this makes it available to users). Eg:

$ ./copy-package -b --auto-approve --from=ubuntu/partner -s xenial-proposed --to-suite xenial adobe-flashplugin

or to do all at once:

$ for i in xenial bionic focal groovy; do ./copy-package -b --auto-approve --from=ubuntu/partner -s $i-proposed --to-suite $i adobe-flashplugin ; done

Remove the package from proposed in the partner archive. Eg:

$ ./remove-package -A ubuntu/partner -m "copied to release" -s xenial-proposed adobe-flashplugin

or to do all at once:

$ for i in xenial bionic focal groovy; do ./remove-package -A ubuntu/partner -m "copied to release" -s $i-proposed adobe-flashplugin ; done

21. Diffs for unapproved uploads

The "unapproved" queue holds packages while a release is frozen, i. e. while a milestone or final freeze is in progress, or for post-release updates (like hardy-proposed). Packages in these queues need to be scrutinized before they get accepted.

This can be done with the queuediff tool in ubuntu-archive-tools, which generates a debdiff between the current version in the archive, and the package sitting in the unapproved queue:

$ ./queuediff -s hardy-updates hal
$ ./queuediff -b human-icon-theme | view -

-s specifies the release pocket to compare against and defaults to the current development release. Please note that the pocket of the unapproved queue is not checked or regarded; i. e. if there is a hal package waiting in hardy-proposed/unapproved, but the previous version already migrated to hardy-updates, then you need to compare against hardy-updates, not -proposed.

Check --help, the tool has more options, such as specifying a different mirror, or -b to open the referred Launchpad bugs in the webbrowser.

This tool works very fast if the new package does not change the orig.tar.gz, then it only downloads the diff.gz. For native packages or new upstream versions it needs to download both tarballs and run debdiff on them. Thus for large packages you might want to do this manually in the data center.

22. Useful runes

This section contains some copy&paste shell bits which ease recurring jobs.

23. reprocess-failed-to-move

In some cases, binary packages fail to move from the incoming queue to the accepted queue. To fix this, run ~lp_buildd/reprocess-failed-to-move as lp_buildd

24. Reprocessing failed source uploads

If a source upload fails for spurious/transient reasons (you can check in pepo:/srv/launchpad.net/production-logs/lp_queue/process-upload.log), ask webops to locate the appropriate upload-* directory and corresponding .distro file in /srv/launchpad.net/ubuntu-queue/ (they will probably be in either failed or rejected) and move them both back to /srv/launchpad.net/ubuntu-queue/incoming/.

25. Stable release updates

SRU packages in -proposed must be approved by ~ubuntu-sru before accepting.

Please see https://wiki.ubuntu.com/StableReleaseUpdates#Reviewing_procedure_and_tools

26. langpack SRUs

Language packs are a special case; these packages are normally uploaded as a batch and will not normally reference specific bugs. The status page will only show language-pack-en. Please see the documentation how to copy packages between PPA, -proposed, and -updates.

27. Other archives

extras.ubuntu.com is not managed by the Ubuntu archive administration team, but is a PPA owned by the Application Review Board.

28. Useful web pages

Equally useful to the tools are the various auto-generated web pages in ubuntu-archive's public_html that can give you a feel for the state of the archive.

http://people.canonical.com/~ubuntu-archive/component-mismatches.txt

As described above, this lists the differences between the archive and the output of the germinate script. Shows up packages that are in the wrong place, or need seeding.

http://people.canonical.com/~ubuntu-archive/germinate-output/

This is the output of the germinate script, split up into each release of each flavour of ubuntu.

http://people.canonical.com/~ubuntu-archive/priority-mismatches.txt

Shows discrepancies between priorities of packages and where they probably should go according to the seeds.

http://people.canonical.com/~ubuntu-archive/architecture-mismatches.txt

Shows override discrepancies between architectures, which are generally bugs.

http://people.canonical.com/~ubuntu-archive/testing/xenial_probs.html

Generated by the half-hourly run of britney and indicates packages that are uninstallable on xenial, usually due to missing dependencies or problematic conflicts.

http://people.canonical.com/~ubuntu-archive/testing/xenial_outdate.html

Lists differences between binary and source versions in the archive. This often shows up both build failures (where binaries are out of date for particular architectures) but also where a binary is no longer built from the source.

http://people.canonical.com/~ubuntu-archive/NBS/ http://people.canonical.com/~ubuntu-archive/nbs.html

This contains a list of binary packages which are not built from source (NBS) any more. The files contain the list of reverse dependencies of those packages (output of checkrdepends -b). These packages need to be removed eventually, thus all reverse dependencies need to be fixed. This is updated half-hourly.

29. Chroot management

$Warning /!\$ Please note that chroot management is something generally handled by Canonical IS (and specifically by Adam Conrad). The following section documents the procedures required should one have to, for instance, remove all the chroots for a certain suite to stop the build queue in its tracks while a breakage is hunted down and fixed, but please don't take this as an open invitation to mess with the buildd chroots willy-nilly.

Soyuz stores one chroot per (suite, architecture).

manage-chroot allows the following actions upon a specified chroot:

$ ./manage-chroot
Usage: manage-chroot -a ARCHITECTURE [options] <get|info|remove|set>

manage-chroot: error: You must specify an architecture.

Downloading (get) an existing chroot:

$ ./manage-chroot [-s SUITE] <-a ARCH> get

The chroot will be downloaded and stored in the local disk name as 'chroot-<DISTRIBUTION>-<SERIES>-<ARCHTAG>.tar.bz2'

Uploading (add/update) a new chroot:

$ ./manage-chroot [-s SUITE] <-a ARCH> set -f <CHROOT_FILE>

The new chroot will be immediately used for the next build job in the corresponding architecture.

Disabling (remove) an existing chroot:

$Warning /!\$ Unless you have plans for creating a new chroots from scratch, it's better to download them to disk before the removal (recover is possible, but involves direct DB access)

$ ./manage-chroot [-s SUITE] <-a ARCH> remove

No builds will be dispatched for architectures with no chroot, the build-farm will continue functional for the rest of the system.

30. Archive administration shifts

This is a next try for establishing Archive Admin shifts during the week. During an AA shift, an archive admin allocates at least 2 hours to work on tasks requiring special ubuntu-archive permissions.

Current members with regular admin shifts are:

Monday:
Tuesday:
Wednesday: sil2100 (9:00-11:00 UTC)
Thursday: seb128 (10-12 CET)
Friday:

On an archive shifts, the following items should be the main focus:

Stay open for any 'ubuntu-archive' IRC requests, being available to help developers out with their everyday work

Additionally, the performing the following should be considered:

Process pending archive bugs. This query often generates a Launchpad OOPS rather than succeeding; this query is more likely to succeed, but might miss some bugs. Most of those are syncs, removals, component fixes, but there might be other, less common, requests.
Process the NEW queues of the current development release and *-backports of all supported stable releases.
If we are not yet in the DebianImportFreeze, run process-removals to review/remove packages which were removed in Debian.
Clean up component-mismatches, and poke people to fix dependencies/write MIRs.
Remove NBS packages without reverse dependencies, and prod maintainers to rebuild/fix packages to eliminate reverse dependencies to NBS packages.

31. Archive Administration and Freezes

Archive admins should be familiar with the FreezeExceptionProcess, however it is the bug submitter's and sponsor's responsibility to make sure that the process is being followed. Some things to keep in mind for common tasks:

When the archive is frozen (ie the week before a Milestone, or from one week before RC until the final release), you need an ACK from ubuntu-release for all main/restricted uploads
During the week before final release, you need an ACK from ubuntu-release for any uploads to universe/multiverse
When the archive is not frozen, bugfix-only sync requests can be processed if filed by a core-dev, ubuntu-dev or motu (universe/multiverse only) or have an ACK by a sponsor or someone from ubuntu-sponsors.
After FeatureFreeze, all (new or otherwise) packages in the archive (ie main, restricted, universe and multiverse) require an ACK from ubuntu-release for any FreezeException (eg FeatureFreeze, UserInterfaceFreeze, and Milestone). Packages that do not require a FreezeException can be processed normally.

See FreezeExceptionProcess for complete details.

32. OEM metapackages

The archive team runs a script, maintained by the DeveloperMembershipBoard, to automatically grant upload rights to oem-*-meta packages - including packages which aren't yet in Ubuntu (uploaders can upload to NEW for these packages) - to some members of Canonical's OEM delivery team via a packageset called "canonical-oem-metapackages".

The DMB handle applications to the packageset and maintain the code. Our responsibility in the archive team is to run the script reasonably frequently, pull any changes when the DMB ask us to, and arrange for its output to be emailed at least to the devel-permissions list.

See the DMB's knowledge base and the script itself for some further information and links.

If a package should be removed from -proposed, use the remove-package tool (from ubuntu-archive-tools). e.g., to remove source and binaries for the libreoffice package currently in xenial-proposed:

$ ./remove-package -m "SRU abandoned (verification-failed)" -s xenial-proposed libreoffice

CategoryProcess

StableReleaseUpdates (last edited 2024-05-14 20:50:50 by mfo)

-  ⇤ ← Revision 203 as of 2013-01-24 20:04:11 → 
  Size: 25929
  Editor: brian-murray
  Comment:
+   ← Revision 205 as of 2013-01-24 20:07:29 → ⇥
  Size: 25896
  Editor: brian-murray
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 337:
-The [[http://people.canonical.com/~ubuntu-archive/pending-sru|pending SRUs]] should also be reviewed see whether or not there are any to be released or removed from the archive.

To remove a package from -proposed:
+The [[http://people.canonical.com/~ubuntu-archive/pending-sru|pending SRUs]] should also be reviewed see whether or not there are any to be released or removed from the archive.  The process for deailing with these follows:

<<Include(ArchiveAdministration, ,from="== Moving Packages to Updates ==", to="^*")>>
 Line 342:
-To release a package from -proposed:

<<Include(ArchiveAdministration, ,from="== Moving Packages to Updates ==", to="^=")>>

Ubuntu Wiki