Ubuntu
memcached package

Bug #1887943
Comment #7

Comment 7 for bug 1887943

Revision history for this message

Bryce Harrington (bryce) wrote on 2020-08-19: Re: TLS is not enabled for memcached>=1.5.13

Thanks for landing it in Debian, and great to hear it sync'd into groovy without issue. I'm marking the groovy task as Fix Released, and set the status on the focal task to Triaged.

I'll be glad to walk you through the SRU process. The first step is to fill in the "SRU paperwork". I've pasted in the template into the bug description, which you should be able to edit (see the yellow pencil icon on the right of the Bug Description). You can see some examples of other TLS enablement SRUs that got accepted here, for an idea of what needs to be said:

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386

The apache2 is probably the right level of detail to follow. The openssl one is far more verbose than SRU's usually are, but useful to see the types of concerns TLS enablement SRUs have considered in the past.

For the Impact section, especially for wishlist SRUs you should indicate other users besides OpenStack that will be benefited by this change. The SRU reviewers will be considering the breadth of the impact.

For the Regression Potential, the section from the apache2 bug linked above is a good starting point. The main thing to think about is if there was a regression, how would testers/users notice it, and distinguish it as a TLS-caused regression vs. some other random bug?

The Test Case section is IMHO the most crucial for SRUs and should try to give a 'paint by numbers' way to both reproduce the issue and to verify the fix works.

The [Fix] section is optional but I've gone ahead and added it.

The next step is to prepare a PPA with the patch applied on top of the focal version of memcached. Essentially, apt-get source memcached, then apply https://salsa.debian.org/lamby/pkg-memcached/-/commit/39c91c8d5eb9fc48fda31723923659c518d6577f. Add a changelog entry, with the version set to "1.5.22-2ubuntu0.1", and run 'update-maintainer' which will set debian/control properly. Create a PPA and upload your package there, verify it builds ok, and link to it from this bug report. If you prefer us to handle any of that, just ask.

At that point, myself or one of the server team members will take over. We'll review and sponsor the upload into focal-proposed, and submit it for SRU review. For the SRU, a security team review is probably also needed.

For reference, the official SRU policy is here: https://wiki.ubuntu.com/StableReleaseUpdates, mainly just section 3.

Good luck, and if you need help just ask.

Thanks for landing it in Debian, and great to hear it sync'd into groovy without issue.  I'm marking the groovy task as Fix Released, and set the status on the focal task to Triaged.

I'll be glad to walk you through the SRU process.  The first step is to fill in the "SRU paperwork".  I've pasted in the template into the bug description, which you should be able to edit (see the yellow pencil icon on the right of the Bug Description).  You can see some examples of other TLS enablement SRUs that got accepted here, for an idea of what needs to be said:

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1845263
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386

The apache2 is probably the right level of detail to follow.  The openssl one is far more verbose than SRU's usually are, but useful to see the types of concerns TLS enablement SRUs have considered in the past.

For the Impact section, especially for wishlist SRUs you should indicate other users besides OpenStack that will be benefited by this change.  The SRU reviewers will be considering the breadth of the impact.

For the Regression Potential, the section from the apache2 bug linked above is a good starting point.  The main thing to think about is if there was a regression, how would testers/users notice it, and distinguish it as a TLS-caused regression vs. some other random bug?

The Test Case section is IMHO the most crucial for SRUs and should try to give a 'paint by numbers' way to both reproduce the issue and to verify the fix works.

The [Fix] section is optional but I've gone ahead and added it.

The next step is to prepare a PPA with the patch applied on top of the focal version of memcached.  Essentially, apt-get source memcached, then apply https://salsa.debian.org/lamby/pkg-memcached/-/commit/39c91c8d5eb9fc48fda31723923659c518d6577f.  Add a changelog entry, with the version set to "1.5.22-2ubuntu0.1", and run 'update-maintainer' which will set debian/control properly.  Create a PPA and upload your package there, verify it builds ok, and link to it from this bug report.  If you prefer us to handle any of that, just ask.

At that point, myself or one of the server team members will take over.  We'll review and sponsor the upload into focal-proposed, and submit it for SRU review.  For the SRU, a security team review is probably also needed.

For reference, the official SRU policy is here:  https://wiki.ubuntu.com/StableReleaseUpdates, mainly just section 3.

Good luck, and if you need help just ask.

Ubuntumemcached package

Comment 7 for bug 1887943

Ubuntu
memcached package