Ubuntu Packaging Guide

Merge lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates into lp:ubuntu-packaging-guide

  1. 04-security-and-stable-release-updates
  2. Merge into trunk
Proposed by Jonathan Riddell
Status: Merged
Approved by: Barry Warsaw
Approved revision: 80
Merged at revision: 50
Proposed branch: lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates
Merge into: lp:ubuntu-packaging-guide
Prerequisite: lp:~jr/ubuntu-packaging-guide/03-packaging-from-scratch
Diff against target: 280 lines (+67/-140)
3 files modified
fixing-a-bug.rst (+10/-4)
index.rst (+1/-1)
security-and-stable-release-updates.rst (+56/-135)
To merge this branch: bzr merge lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates
Reviewer Review Type Date Requested Status
Barry Warsaw (community) Approve
Review via email: mp+68538@code.launchpad.net

Commit message

Add information on stable release updates
Tidy up the security article and make it follow UDD practices

Description of the change

Add information on stable release updates
Tidy up the security article and make it follow UDD practices

To post a comment you must log in.
lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates updated
80. By Jonathan Riddell

make instructions for adding a patch consistent

Revision history for this message
Barry Warsaw (barry) wrote :

This (and the other mp's) are all really great work! Thanks for making such fantastic improvements to the guide.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'fixing-a-bug.rst'
2--- fixing-a-bug.rst 2011-07-18 11:03:52 +0000
3+++ fixing-a-bug.rst 2011-07-20 13:31:52 +0000
4@@ -100,13 +100,19 @@
5 .. XXX: Link to 'update to a new version' article.
6 .. XXX: Link to 'send stuff upstream/Debian' article. (Launchpad bug 704845)
7
8-If you find a patch to fix the problem, say, attached to a bug report, running
9-this command in the source directory should apply the patch::
10+You now want to create a patch which includes the fix. The command
11+``edit-patch`` is a simple way to add a patch to a package. Run::
12+
13+ $ edit-patch 99-new-patch
14+
15+This will copy the packaging to a temporary directory. You can now edit files
16+with a text editor or apply patches from upstream, for example::
17
18 $ patch -p1 < ../bugfix.patch
19
20-Refer to the ``patch(1)`` manpage for options and arguments such as
21-``--dry-run``, ``-p<num>``, etc.
22+After editing the file type ``exit`` or press ``control-d`` to quit the
23+temporary shell. The new patch will have been added into ``debian/patches``.
24+
25
26 Testing the fix
27 ===============
28
29=== modified file 'index.rst'
30--- index.rst 2011-07-20 13:31:52 +0000
31+++ index.rst 2011-07-20 13:31:52 +0000
32@@ -29,7 +29,7 @@
33 udd-intro
34 packaging-from-scratch
35 fixing-a-bug
36- fixing-a-bug-security
37+ security-and-stable-release-updates
38
39 Knowledge Base
40 --------------
41
42=== renamed file 'fixing-a-bug-security.rst' => 'security-and-stable-release-updates.rst'
43--- fixing-a-bug-security.rst 2011-07-20 11:05:17 +0000
44+++ security-and-stable-release-updates.rst 2011-07-20 13:31:52 +0000
45@@ -1,6 +1,9 @@
46-===============================
47-Fixing a security bug in Ubuntu
48-===============================
49+===================================
50+Security and Stable Release Updates
51+===================================
52+
53+Fixing a Security Bug in Ubuntu
54+-------------------------------
55
56 Introduction
57 ============
58@@ -11,60 +14,24 @@
59 be updating the dbus package in Ubuntu 10.04 LTS (Lucid Lynx) for a security
60 update.
61
62-Since security updates are most often in stable releases of Ubuntu, you'll need
63-to add ``deb-src`` lines to your apt configuration for the stable releases you
64-want to fix. So after :doc:`you are set up for Ubuntu
65-Development</getting-set-up>`, you'll want to add something like this to
66-``/etc/apt/sources.list.d/security-sources.list``::
67-
68- # lucid
69- deb-src http://archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse
70- deb-src http://archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe multiverse
71- deb-src http://security.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse
72-
73-Then run the following command to put your changes into effect::
74-
75- $ sudo apt-get update
76-
77
78 Obtaining the source
79 ====================
80+
81 In this example, we already know we want to fix the dbus package in Ubuntu
82 10.04 LTS (Lucid Lynx). So first you need to determine the version of the
83 package you want to download. We can use the ``rmadison`` to help with this::
84
85- $ rmadison dbus
86- dbus | 1.1.20-1ubuntu1 | hardy | source, amd64, i386
87- dbus | 1.1.20-1ubuntu3.4 | hardy-security | source, amd64, i386
88- dbus | 1.1.20-1ubuntu3.4 | hardy-updates | source, amd64, i386
89+ $ rmadison dbus | grep lucid
90 dbus | 1.2.16-2ubuntu4 | lucid | source, amd64, i386
91 dbus | 1.2.16-2ubuntu4.1 | lucid-security | source, amd64, i386
92 dbus | 1.2.16-2ubuntu4.2 | lucid-updates | source, amd64, i386
93- dbus | 1.4.0-0ubuntu1 | maverick | source, amd64, i386
94- dbus | 1.4.0-0ubuntu1.1 | maverick-security | source, amd64, i386
95- dbus | 1.4.0-0ubuntu1.2 | maverick-updates | source, amd64, i386
96- dbus | 1.4.6-1ubuntu6 | natty | source, amd64, i386
97- dbus | 1.4.12-4ubuntu2 | oneiric | source, amd64, i386
98
99 Typically you will want to choose the highest version for the release you want
100 to patch that is not in -proposed or -backports. Since we are updating Lucid's
101-dbus, you'll download 1.2.16-2ubuntu4.2::
102+dbus, you'll download 1.2.16-2ubuntu4.2 from lucid-updates::
103
104- daniel@bert:~$ LC_ALL=C apt-get source dbus=1.2.16-2ubuntu4.2
105- Reading package lists... Done
106- Building dependency tree
107- Reading state information... Done
108- NOTICE: 'dbus' packaging is maintained in the 'Svn' version control system at:
109- svn://svn.debian.org/svn/pkg-utopia/packages/unstable/dbus
110- Need to get 1,613 kB of source archives.
111- Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (dsc) [2,360 B]
112- Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (tar) [1,576 kB]
113- Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (diff) [34.6 kB]
114- Fetched 1,613 kB in 0s (9,222 kB/s)
115- dpkg-source: info: extracting dbus in dbus-1.2.16
116- dpkg-source: info: unpacking dbus_1.2.16.orig.tar.gz
117- dpkg-source: info: applying dbus_1.2.16-2ubuntu4.2.diff.gz
118- daniel@bert:~$
119+ $ bzr branch ubuntu:lucid-updates/dbus
120
121
122 Patching the source
123@@ -78,98 +45,17 @@
124
125 To create your patch using ``edit-patch``::
126
127- daniel@bert:~$ cd dbus-1.2.16
128- daniel@bert:~/dbus-1.2.16$ edit-patch 99-fix-a-vulnerability
129- Normalizing patch path to 99-fix-a-vulnerability
130- Normalizing patch name to 99-fix-a-vulnerability.patch
131- Applying patch 00_dbus-quiesce-startup-errors.patch
132- patching file bus/config-parser.c
133-
134- Applying patch 01_no-fatal-warnings.patch
135- patching file dbus/dbus-internals.c
136-
137- Applying patch 02_dbus_monitor_no_sigint_handler.patch
138- patching file tools/dbus-monitor.c
139-
140- Applying patch 10_dbus-1.0.1-generate-xml-docs.patch
141- patching file Doxyfile.in
142-
143- Applying patch 20_kbsd_cmsgcred.patch
144- patching file dbus/dbus-sysdeps-unix.c
145-
146- Applying patch 30_rt-as-needed.patch
147- patching file bus/Makefile.am
148- patching file bus/Makefile.in
149-
150- Applying patch 11_timeout_handling.patch
151- patching file dbus/dbus-connection.c
152-
153- Applying patch 20_system_conf_limit.patch
154- patching file bus/system.conf.in
155-
156- Applying patch 81-session.conf-timeout.patch
157- patching file bus/session.conf.in
158-
159- Applying patch 99-CVE-2010-4352.patch
160- patching file dbus/dbus-marshal-validate.c
161- patching file dbus/dbus-marshal-validate.h
162- patching file dbus/dbus-message-factory.c
163- patching file doc/dbus-specification.xml
164-
165- Now at patch 99-CVE-2010-4352.patch
166- Patch 99-fix-a-vulnerability.patch is now on top
167- daniel@bert:/tmp/quilt-2oLXmw$ ls dbus/dbus-marshal-validate.c
168- dbus/dbus-marshal-validate.c
169- daniel@bert:/tmp/quilt-2oLXmw$ vi dbus/dbus-marshal-validate.c
170+ $ cd dbus
171+ $ edit-patch 99-fix-a-vulnerability
172+
173+This will apply the existing patches and put the packaging in a temporary
174+directory. Now edit the files needed to fix the vulnerability. Often upstream
175+will have provided a patch so you can apply that patch::
176+
177+ $ patch -p1 < /home/user/dbus-vulnerability.diff
178
179 Aftering making the necessary changes, you just hit Ctrl-D or type exit to
180-leave the subshell. E.g.::
181-
182- daniel@bert:/tmp/quilt-2oLXmw$ exit
183- exit
184- File ./dbus/dbus-marshal-validate.c added to patch 99-fix-a-vulnerability.patch
185- Refreshed patch 99-fix-a-vulnerability.patch
186- Removing patch 99-fix-a-vulnerability.patch
187- Restoring dbus/dbus-marshal-validate.c
188-
189- Removing patch 99-CVE-2010-4352.patch
190- Restoring doc/dbus-specification.xml
191- Restoring dbus/dbus-marshal-validate.h
192- Restoring dbus/dbus-marshal-validate.c
193- Restoring dbus/dbus-message-factory.c
194-
195- Removing patch 81-session.conf-timeout.patch
196- Restoring bus/session.conf.in
197-
198- Removing patch 20_system_conf_limit.patch
199- Restoring bus/system.conf.in
200-
201- Removing patch 11_timeout_handling.patch
202- Restoring dbus/dbus-connection.c
203-
204- Removing patch 30_rt-as-needed.patch
205- Restoring bus/Makefile.am
206- Restoring bus/Makefile.in
207-
208- Removing patch 20_kbsd_cmsgcred.patch
209- Restoring dbus/dbus-sysdeps-unix.c
210-
211- Removing patch 10_dbus-1.0.1-generate-xml-docs.patch
212- Restoring Doxyfile.in
213-
214- Removing patch 02_dbus_monitor_no_sigint_handler.patch
215- Restoring tools/dbus-monitor.c
216-
217- Removing patch 01_no-fatal-warnings.patch
218- Restoring dbus/dbus-internals.c
219-
220- Removing patch 00_dbus-quiesce-startup-errors.patch
221- Restoring bus/config-parser.c
222-
223- No patches applied
224- Remember to add debian/patches/99-fix-a-vulnerability.patch debian/patches/series to
225- a VCS if you use one
226-
227+leave the temporary shell.
228
229 Formatting the changelog and patches
230 ====================================
231@@ -187,6 +73,7 @@
232 * SECURITY UPDATE: [DESCRIBE VULNERABILITY HERE]
233 - debian/patches/99-fix-a-vulnerability.patch: [DESCRIBE CHANGES HERE]
234 - [CVE IDENTIFIER]
235+ - [LINK TO UPSTREAM BUG OR SECURITY NOTICE]
236 - LP: #[BUG NUMBER]
237 ...
238
239@@ -215,5 +102,39 @@
240 #. Upgrade to the new version of the package from the previous version
241 #. Test that the new package fixes the vulnerability and does not introduce
242 any regressions
243- #. Submit your work via a Launchpad bug being sure to mark the bug as a
244- security bug and to subscribe ``ubuntu-security-sponsors``
245+ #. Submit your work via a Launchpad merge proposal and file a Launchpad bug
246+ being sure to mark the bug as a security bug and to subscribe
247+ ``ubuntu-security-sponsors``
248+
249+If the security vulnerability is not yet public then do not file a merge
250+proposal and ensure you mark the bug as private.
251+
252+The filed bug should include a Test Case, i.e. a comment which clearly shows how
253+to recreate the bug by running the old version then how to ensure the bug no
254+longer exists in the new version.
255+
256+The bug report should also confirm that the issue is fixed in Ubuntu versions
257+newer than the one with the proposed fix (in the above example newer than
258+Lucid). If the issue is not fixed in newer Ubuntu versions you should prepare
259+updates for those versions too.
260+
261+
262+Stable Release Updates
263+-------------------------------
264+
265+We also allow updates to releases where a package has a high impact bug such as
266+a severe regression from a previous release or a bug which could cause data
267+loss. Due to the potential for such updates to themselves introduce bugs we
268+only allow this where the change can be easily understood and verified.
269+
270+The process for Stable Release Updates is just the same as the proccess for
271+security bugs except you should subscribe ``ubuntu-sru`` to the bug.
272+
273+The update will go into the ``proposed`` archive (for example
274+``lucid-proposed``) where it will need to be checked that it fixes the problem
275+and does not introduce new problems. After a week without reported problems it
276+can be moved to ``updates``.
277+
278+See the `Stable Release Updates wiki page`_ for more information.
279+
280+.. _`Stable Release Updates wiki page`: https://wiki.kubuntu.org/StableReleaseUpdates

Subscribers

People subscribed via source and target branches