Ubuntu Packaging Guide

Merge lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates into lp:ubuntu-packaging-guide

  1. 04-security-and-stable-release-updates
  2. Merge into trunk
Proposed by Jonathan Riddell
Status: Merged
Approved by: Barry Warsaw
Approved revision: 80
Merged at revision: 50
Proposed branch: lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates
Merge into: lp:ubuntu-packaging-guide
Prerequisite: lp:~jr/ubuntu-packaging-guide/03-packaging-from-scratch
Diff against target: 280 lines (+67/-140)
3 files modified
fixing-a-bug.rst (+10/-4)
index.rst (+1/-1)
security-and-stable-release-updates.rst (+56/-135)
To merge this branch: bzr merge lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates
Reviewer Review Type Date Requested Status
Barry Warsaw (community) Approve
Review via email: mp+68538@code.launchpad.net

Commit message

Add information on stable release updates
Tidy up the security article and make it follow UDD practices

Description of the change

Add information on stable release updates
Tidy up the security article and make it follow UDD practices

To post a comment you must log in.
lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates updated
80. By Jonathan Riddell

make instructions for adding a patch consistent

Revision history for this message
Barry Warsaw (barry) wrote :

This (and the other mp's) are all really great work! Thanks for making such fantastic improvements to the guide.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'fixing-a-bug.rst'
--- fixing-a-bug.rst 2011-07-18 11:03:52 +0000
+++ fixing-a-bug.rst 2011-07-20 13:31:52 +0000
@@ -100,13 +100,19 @@
100.. XXX: Link to 'update to a new version' article.100.. XXX: Link to 'update to a new version' article.
101.. XXX: Link to 'send stuff upstream/Debian' article. (Launchpad bug 704845)101.. XXX: Link to 'send stuff upstream/Debian' article. (Launchpad bug 704845)
102102
103If you find a patch to fix the problem, say, attached to a bug report, running103You now want to create a patch which includes the fix. The command
104this command in the source directory should apply the patch::104``edit-patch`` is a simple way to add a patch to a package. Run::
105
106 $ edit-patch 99-new-patch
107
108This will copy the packaging to a temporary directory. You can now edit files
109with a text editor or apply patches from upstream, for example::
105110
106 $ patch -p1 < ../bugfix.patch111 $ patch -p1 < ../bugfix.patch
107112
108Refer to the ``patch(1)`` manpage for options and arguments such as 113After editing the file type ``exit`` or press ``control-d`` to quit the
109``--dry-run``, ``-p<num>``, etc.114temporary shell. The new patch will have been added into ``debian/patches``.
115
110116
111Testing the fix117Testing the fix
112===============118===============
113119
=== modified file 'index.rst'
--- index.rst 2011-07-20 13:31:52 +0000
+++ index.rst 2011-07-20 13:31:52 +0000
@@ -29,7 +29,7 @@
29 udd-intro29 udd-intro
30 packaging-from-scratch30 packaging-from-scratch
31 fixing-a-bug31 fixing-a-bug
32 fixing-a-bug-security32 security-and-stable-release-updates
3333
34Knowledge Base34Knowledge Base
35--------------35--------------
3636
=== renamed file 'fixing-a-bug-security.rst' => 'security-and-stable-release-updates.rst'
--- fixing-a-bug-security.rst 2011-07-20 11:05:17 +0000
+++ security-and-stable-release-updates.rst 2011-07-20 13:31:52 +0000
@@ -1,6 +1,9 @@
1===============================1===================================
2Fixing a security bug in Ubuntu2Security and Stable Release Updates
3===============================3===================================
4
5Fixing a Security Bug in Ubuntu
6-------------------------------
47
5Introduction8Introduction
6============9============
@@ -11,60 +14,24 @@
11be updating the dbus package in Ubuntu 10.04 LTS (Lucid Lynx) for a security14be updating the dbus package in Ubuntu 10.04 LTS (Lucid Lynx) for a security
12update.15update.
1316
14Since security updates are most often in stable releases of Ubuntu, you'll need
15to add ``deb-src`` lines to your apt configuration for the stable releases you
16want to fix. So after :doc:`you are set up for Ubuntu
17Development</getting-set-up>`, you'll want to add something like this to
18``/etc/apt/sources.list.d/security-sources.list``::
19
20 # lucid
21 deb-src http://archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse
22 deb-src http://archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe multiverse
23 deb-src http://security.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse
24
25Then run the following command to put your changes into effect::
26
27 $ sudo apt-get update
28
2917
30Obtaining the source18Obtaining the source
31====================19====================
20
32In this example, we already know we want to fix the dbus package in Ubuntu21In this example, we already know we want to fix the dbus package in Ubuntu
3310.04 LTS (Lucid Lynx). So first you need to determine the version of the2210.04 LTS (Lucid Lynx). So first you need to determine the version of the
34package you want to download. We can use the ``rmadison`` to help with this::23package you want to download. We can use the ``rmadison`` to help with this::
3524
36 $ rmadison dbus25 $ rmadison dbus | grep lucid
37 dbus | 1.1.20-1ubuntu1 | hardy | source, amd64, i386
38 dbus | 1.1.20-1ubuntu3.4 | hardy-security | source, amd64, i386
39 dbus | 1.1.20-1ubuntu3.4 | hardy-updates | source, amd64, i386
40 dbus | 1.2.16-2ubuntu4 | lucid | source, amd64, i38626 dbus | 1.2.16-2ubuntu4 | lucid | source, amd64, i386
41 dbus | 1.2.16-2ubuntu4.1 | lucid-security | source, amd64, i38627 dbus | 1.2.16-2ubuntu4.1 | lucid-security | source, amd64, i386
42 dbus | 1.2.16-2ubuntu4.2 | lucid-updates | source, amd64, i38628 dbus | 1.2.16-2ubuntu4.2 | lucid-updates | source, amd64, i386
43 dbus | 1.4.0-0ubuntu1 | maverick | source, amd64, i386
44 dbus | 1.4.0-0ubuntu1.1 | maverick-security | source, amd64, i386
45 dbus | 1.4.0-0ubuntu1.2 | maverick-updates | source, amd64, i386
46 dbus | 1.4.6-1ubuntu6 | natty | source, amd64, i386
47 dbus | 1.4.12-4ubuntu2 | oneiric | source, amd64, i386
4829
49Typically you will want to choose the highest version for the release you want30Typically you will want to choose the highest version for the release you want
50to patch that is not in -proposed or -backports. Since we are updating Lucid's31to patch that is not in -proposed or -backports. Since we are updating Lucid's
51dbus, you'll download 1.2.16-2ubuntu4.2::32dbus, you'll download 1.2.16-2ubuntu4.2 from lucid-updates::
5233
53 daniel@bert:~$ LC_ALL=C apt-get source dbus=1.2.16-2ubuntu4.234 $ bzr branch ubuntu:lucid-updates/dbus
54 Reading package lists... Done
55 Building dependency tree
56 Reading state information... Done
57 NOTICE: 'dbus' packaging is maintained in the 'Svn' version control system at:
58 svn://svn.debian.org/svn/pkg-utopia/packages/unstable/dbus
59 Need to get 1,613 kB of source archives.
60 Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (dsc) [2,360 B]
61 Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (tar) [1,576 kB]
62 Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (diff) [34.6 kB]
63 Fetched 1,613 kB in 0s (9,222 kB/s)
64 dpkg-source: info: extracting dbus in dbus-1.2.16
65 dpkg-source: info: unpacking dbus_1.2.16.orig.tar.gz
66 dpkg-source: info: applying dbus_1.2.16-2ubuntu4.2.diff.gz
67 daniel@bert:~$
6835
6936
70Patching the source37Patching the source
@@ -78,98 +45,17 @@
7845
79To create your patch using ``edit-patch``::46To create your patch using ``edit-patch``::
8047
81 daniel@bert:~$ cd dbus-1.2.1648 $ cd dbus
82 daniel@bert:~/dbus-1.2.16$ edit-patch 99-fix-a-vulnerability49 $ edit-patch 99-fix-a-vulnerability
83 Normalizing patch path to 99-fix-a-vulnerability50
84 Normalizing patch name to 99-fix-a-vulnerability.patch51This will apply the existing patches and put the packaging in a temporary
85 Applying patch 00_dbus-quiesce-startup-errors.patch52directory. Now edit the files needed to fix the vulnerability. Often upstream
86 patching file bus/config-parser.c53will have provided a patch so you can apply that patch::
8754
88 Applying patch 01_no-fatal-warnings.patch55 $ patch -p1 < /home/user/dbus-vulnerability.diff
89 patching file dbus/dbus-internals.c
90
91 Applying patch 02_dbus_monitor_no_sigint_handler.patch
92 patching file tools/dbus-monitor.c
93
94 Applying patch 10_dbus-1.0.1-generate-xml-docs.patch
95 patching file Doxyfile.in
96
97 Applying patch 20_kbsd_cmsgcred.patch
98 patching file dbus/dbus-sysdeps-unix.c
99
100 Applying patch 30_rt-as-needed.patch
101 patching file bus/Makefile.am
102 patching file bus/Makefile.in
103
104 Applying patch 11_timeout_handling.patch
105 patching file dbus/dbus-connection.c
106
107 Applying patch 20_system_conf_limit.patch
108 patching file bus/system.conf.in
109
110 Applying patch 81-session.conf-timeout.patch
111 patching file bus/session.conf.in
112
113 Applying patch 99-CVE-2010-4352.patch
114 patching file dbus/dbus-marshal-validate.c
115 patching file dbus/dbus-marshal-validate.h
116 patching file dbus/dbus-message-factory.c
117 patching file doc/dbus-specification.xml
118
119 Now at patch 99-CVE-2010-4352.patch
120 Patch 99-fix-a-vulnerability.patch is now on top
121 daniel@bert:/tmp/quilt-2oLXmw$ ls dbus/dbus-marshal-validate.c
122 dbus/dbus-marshal-validate.c
123 daniel@bert:/tmp/quilt-2oLXmw$ vi dbus/dbus-marshal-validate.c
12456
125Aftering making the necessary changes, you just hit Ctrl-D or type exit to57Aftering making the necessary changes, you just hit Ctrl-D or type exit to
126leave the subshell. E.g.::58leave the temporary shell.
127
128 daniel@bert:/tmp/quilt-2oLXmw$ exit
129 exit
130 File ./dbus/dbus-marshal-validate.c added to patch 99-fix-a-vulnerability.patch
131 Refreshed patch 99-fix-a-vulnerability.patch
132 Removing patch 99-fix-a-vulnerability.patch
133 Restoring dbus/dbus-marshal-validate.c
134
135 Removing patch 99-CVE-2010-4352.patch
136 Restoring doc/dbus-specification.xml
137 Restoring dbus/dbus-marshal-validate.h
138 Restoring dbus/dbus-marshal-validate.c
139 Restoring dbus/dbus-message-factory.c
140
141 Removing patch 81-session.conf-timeout.patch
142 Restoring bus/session.conf.in
143
144 Removing patch 20_system_conf_limit.patch
145 Restoring bus/system.conf.in
146
147 Removing patch 11_timeout_handling.patch
148 Restoring dbus/dbus-connection.c
149
150 Removing patch 30_rt-as-needed.patch
151 Restoring bus/Makefile.am
152 Restoring bus/Makefile.in
153
154 Removing patch 20_kbsd_cmsgcred.patch
155 Restoring dbus/dbus-sysdeps-unix.c
156
157 Removing patch 10_dbus-1.0.1-generate-xml-docs.patch
158 Restoring Doxyfile.in
159
160 Removing patch 02_dbus_monitor_no_sigint_handler.patch
161 Restoring tools/dbus-monitor.c
162
163 Removing patch 01_no-fatal-warnings.patch
164 Restoring dbus/dbus-internals.c
165
166 Removing patch 00_dbus-quiesce-startup-errors.patch
167 Restoring bus/config-parser.c
168
169 No patches applied
170 Remember to add debian/patches/99-fix-a-vulnerability.patch debian/patches/series to
171 a VCS if you use one
172
17359
174Formatting the changelog and patches60Formatting the changelog and patches
175====================================61====================================
@@ -187,6 +73,7 @@
187 * SECURITY UPDATE: [DESCRIBE VULNERABILITY HERE]73 * SECURITY UPDATE: [DESCRIBE VULNERABILITY HERE]
188 - debian/patches/99-fix-a-vulnerability.patch: [DESCRIBE CHANGES HERE]74 - debian/patches/99-fix-a-vulnerability.patch: [DESCRIBE CHANGES HERE]
189 - [CVE IDENTIFIER]75 - [CVE IDENTIFIER]
76 - [LINK TO UPSTREAM BUG OR SECURITY NOTICE]
190 - LP: #[BUG NUMBER]77 - LP: #[BUG NUMBER]
191 ...78 ...
19279
@@ -215,5 +102,39 @@
215 #. Upgrade to the new version of the package from the previous version102 #. Upgrade to the new version of the package from the previous version
216 #. Test that the new package fixes the vulnerability and does not introduce103 #. Test that the new package fixes the vulnerability and does not introduce
217 any regressions104 any regressions
218 #. Submit your work via a Launchpad bug being sure to mark the bug as a105 #. Submit your work via a Launchpad merge proposal and file a Launchpad bug
219 security bug and to subscribe ``ubuntu-security-sponsors``106 being sure to mark the bug as a security bug and to subscribe
107 ``ubuntu-security-sponsors``
108
109If the security vulnerability is not yet public then do not file a merge
110proposal and ensure you mark the bug as private.
111
112The filed bug should include a Test Case, i.e. a comment which clearly shows how
113to recreate the bug by running the old version then how to ensure the bug no
114longer exists in the new version.
115
116The bug report should also confirm that the issue is fixed in Ubuntu versions
117newer than the one with the proposed fix (in the above example newer than
118Lucid). If the issue is not fixed in newer Ubuntu versions you should prepare
119updates for those versions too.
120
121
122Stable Release Updates
123-------------------------------
124
125We also allow updates to releases where a package has a high impact bug such as
126a severe regression from a previous release or a bug which could cause data
127loss. Due to the potential for such updates to themselves introduce bugs we
128only allow this where the change can be easily understood and verified.
129
130The process for Stable Release Updates is just the same as the proccess for
131security bugs except you should subscribe ``ubuntu-sru`` to the bug.
132
133The update will go into the ``proposed`` archive (for example
134``lucid-proposed``) where it will need to be checked that it fixes the problem
135and does not introduce new problems. After a week without reported problems it
136can be moved to ``updates``.
137
138See the `Stable Release Updates wiki page`_ for more information.
139
140.. _`Stable Release Updates wiki page`: https://wiki.kubuntu.org/StableReleaseUpdates

Subscribers

People subscribed via source and target branches