Merge ~rodrigo-zaiden/ubuntu-security-tools:fix-build-source-list into ubuntu-security-tools:master

Proposed by Rodrigo Figueiredo Zaiden
Status: Needs review
Proposed branch: ~rodrigo-zaiden/ubuntu-security-tools:fix-build-source-list
Merge into: ubuntu-security-tools:master
Diff against target: 45 lines (+17/-15)
1 file modified
build-tools/build-sources-list (+17/-15)
Reviewer Review Type Date Requested Status
Eduardo Barretto Needs Fixing
Review via email: mp+420586@code.launchpad.net

Commit message

UST: build-source-list: change build ESM PPAs

 From the ubuntu-security-tools.conf file, there are different ways
 to add an ESM release, if an user has a release in the format
 'release/esm-x' it was not building correctly.
 If the format 'esm-x/release' is used, it is not being handled.
 The exception case is for Precise and Trusty that should be created
 in the format 'release/esm'

Description of the change

I've seen some different ways to describe an ESM release in
~/.ubuntu-security-tools.conf, such as:
`esm-apps/focal` or `focal/esm-apps`

I'm using the first and I noticed that it was not building the PPAs
correctly, since this case was not handled.
I couldn't find a "correct" format, and as far as I checked, both seems
to be accepted.
In this commit, I'm trying to accept both and handle both.
I understand that in the ideal world, I could be generating the auth part
in the correct file, but for now the warning note remains, I'm just trying
to make this script usable in case someone tries it.

The only special case is for trusty and precise that should be handled
as release/esm since they only have one component. Actually, it could be
time to remove Precise, but I decided to first push with it as it was
still there and if someone thinks that we should remove it, I can create
a new commit.

Thank you!

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

we should not support the format 'release/esm-{infra/apps}', please follow the new CVE file format which is:
PRODUCT/RELEASE

so it should be:
esm/precise [1]
esm/trusty [1]
esm-infra/xenial
esm-apps/xenial
esm-apps/bionic
esm-apps/focal
esm-apps/jammy

[1] Please note that precise and trusty we do have alias setup to accept trusty/esm and precise/esm and this was a decision so we don't have to touch all our CVEs and infrastructure as their ESM came before the new CVE file format.

review: Needs Fixing
49f76a5... by Rodrigo Figueiredo Zaiden

UST: build-source-list: change build ESM PPAs

  As per the new CVE format, the accepted is esm{-infra/-apps/release}
  So we can clean a chunck for code and handle only esm{}/x cases.

Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

> we should not support the format 'release/esm-{infra/apps}', please follow the
> new CVE file format which is:
> PRODUCT/RELEASE
>
> so it should be:
> esm/precise [1]
> esm/trusty [1]
> esm-infra/xenial
> esm-apps/xenial
> esm-apps/bionic
> esm-apps/focal
> esm-apps/jammy
>
> [1] Please note that precise and trusty we do have alias setup to accept
> trusty/esm and precise/esm and this was a decision so we don't have to touch
> all our CVEs and infrastructure as their ESM came before the new CVE file
> format.

Thanks Eduardo!

I've made a new commit where I support the format release/esm{-infra/-apps}
In the end, it is a cleaner code.
If you could give a new look at it, I appreciate.
Thanks!

Revision history for this message
Steve Beattie (sbeattie) wrote :

On Wed, Apr 27, 2022 at 06:25:04AM -0000, Eduardo Barretto wrote:
> we should not support the format 'release/esm-{infra/apps}', please follow the new CVE file format which is:
> PRODUCT/RELEASE
>
> so it should be:
> esm/precise [1]
> esm/trusty [1]
> esm-infra/xenial
> esm-apps/xenial
> esm-apps/bionic
> esm-apps/focal
> esm-apps/jammy

Cool, I missed when this was communicated. With the change that
Rodrigo is proposing, `esm/trusty` has to be the format used in
~/.ubuntu-security-tools.conf in order for a sources.list to be
generated that references the trusty ppa for ESM, having `trusty/esm`
results in it being skipped.

> [1] Please note that precise and trusty we do have alias setup to
> accept trusty/esm and precise/esm and this was a decision so we don't
> have to touch all our CVEs and infrastructure as their ESM came before
> the new CVE file format.

The esm/trusty alias does not work correctly for umt download:

$ umt search tzdata | grep trusty
trusty/esm: 2022a-0ubuntu0.14.04+esm1, Pocket: release, Component: main
trusty: 2019a-0ubuntu0.14.04, Pocket: updates, Component: main
$ umt download tzdata -r esm/trusty
Skipping release 'esm/trusty': package not found.
$ umt download tzdata -r trusty/esm
Downloading 'tzdata' version '2022a-0ubuntu0.14.04+esm1' for release 'trusty/esm'.

(This happens regardless of whether ~/.ubuntu-security-tools.conf
contains esm/trusty or trusty/esm in `release_list`.)

--
Steve Beattie
<email address hidden>

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hey Rodrigo,

On Wed, Apr 27, 2022 at 01:29:44PM -0000, Rodrigo Figueiredo Zaiden wrote:
> > we should not support the format 'release/esm-{infra/apps}', please follow the
> > new CVE file format which is:
> > PRODUCT/RELEASE
> >
> > so it should be:
> > esm/precise [1]
> > esm/trusty [1]
> > esm-infra/xenial
> > esm-apps/xenial
> > esm-apps/bionic
> > esm-apps/focal
> > esm-apps/jammy
> >
> > [1] Please note that precise and trusty we do have alias setup to accept
> > trusty/esm and precise/esm and this was a decision so we don't have to touch
> > all our CVEs and infrastructure as their ESM came before the new CVE file
> > format.
>
> I've made a new commit where I support the format release/esm{-infra/-apps}
> In the end, it is a cleaner code.
> If you could give a new look at it, I appreciate.

I think there's a bit of confusion about what Eduardo was trying to say.

For xenial and newer, only the formats `esm-{infra,apps}/RELEASE`
should be accepted. For trusty `esm/trusty` and `trusty/esm` both
need to work (in particular the latter format); in this case either
should generate the private ppa entry for trusty. With the revised
change it's only generating a trusty ppa line if `esm/trusty` is used.

That said, feel free to drop references to precise. It is gone and not
coming back.

Thanks!

--
Steve Beattie
<email address hidden>

64d9697... by Rodrigo Figueiredo Zaiden

UST: build-source-list: build ESM PPAs

    Handle trusty/esm and esm{-infra/-apps}/release,
    including esm/trusty and remove precise esm.

Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

Thanks Steve and Eduardo for discussing the idea.

Just pushed a new review adding support to trusty/esm and removing precise.
Decided to go in a "hardcoded" style for trysty/esm for a better readability instead of trying to play with regex for all cases: trusty/esm and esm[-infra|-apps]/release.
esm/trusty is still supported although it can break stuff around `umt download`.

Thanks for revisiting it whenever possible.

Unmerged commits

64d9697... by Rodrigo Figueiredo Zaiden

UST: build-source-list: build ESM PPAs

    Handle trusty/esm and esm{-infra/-apps}/release,
    including esm/trusty and remove precise esm.

49f76a5... by Rodrigo Figueiredo Zaiden

UST: build-source-list: change build ESM PPAs

  As per the new CVE format, the accepted is esm{-infra/-apps/release}
  So we can clean a chunck for code and handle only esm{}/x cases.

f9597dd... by Rodrigo Figueiredo Zaiden

UST: build-source-list: change build ESM PPAs

 From the ubuntu-security-tools.conf file, there are different ways
 to add an ESM release, if an user has a release in the format
 'release/esm-x' it was not building correctly.
 If the format 'esm-x/release' is used, it is not being handled.
 The exception case is for Precise and Trusty that should be created
 in the format 'release/esm'

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/build-tools/build-sources-list b/build-tools/build-sources-list
index bb91469..baa0711 100755
--- a/build-tools/build-sources-list
+++ b/build-tools/build-sources-list
@@ -114,23 +114,25 @@ EOM
114 ppa_overlay="image"114 ppa_overlay="image"
115 emit_ppa_overlay "snappy-dev" "$ppa_overlay" "${ppa_overlay_release}"115 emit_ppa_overlay "snappy-dev" "$ppa_overlay" "${ppa_overlay_release}"
116116
117 # ESM overlay ppas117 # Trusty ESM overlay ppa
118 elif echo "$r" | grep -q "/esm" ; then118 elif echo "$r" | grep -q "trusty/esm" ; then
119 ppa_overlay_release=$(echo "$r" | cut -f 1 -d '/')119 emit_private_ppa_overlay "ubuntu-esm" "esm-infra-security" "trusty"
120 if [ "$ppa_overlay_release" = "precise" ] ; then120 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
121 ppa_overlay="esm"121
122 emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"122 # ESM Infra/Apps overlay ppas
123 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"123 # in the format "esm{-infra|-apps}/<release>"
124 else124 elif echo "$r" | grep -qe "esm.*/" ; then
125 # newer ESM releases are in the esm-infra-security and125 ppa_overlay_release=$(echo "$r" | cut -f 2 -d '/')
126 # esm-apps-security ppas126 if [ "$ppa_overlay_release" = "trusty" ] ; then
127 # Trusty ESM release is in ubuntu-esm/esm-infra-security
127 ppa_overlay="esm-infra-security"128 ppa_overlay="esm-infra-security"
128 emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"129 else
129 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"130 ppa_esm_component=$(echo "$r" | cut -f 1 -d '/')
130 ppa_overlay="esm-apps-security"131 ppa_overlay="$ppa_esm_component-security"
131 emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"
132 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
133 fi132 fi
133 emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"
134 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
135
134 # normal ubuntu releases.136 # normal ubuntu releases.
135 else137 else
136 if [ "$r" = "precise" ] ; then138 if [ "$r" = "precise" ] ; then

Subscribers

People subscribed via source and target branches