Merge ~lgp171188/lpci:document-security-fixes-rebuild-process into lpci:main

LGTM!

I have never requested a new build - are there any particular parameters we should choose when doing so, or is that case-by-case dependent? If there are specific parameters one should use, maybe would be worth it adding them?

> I have never requested a new build - are there any particular parameters we should choose when doing so, or is that case-by-case dependent? If there are specific parameters one should use, maybe would be worth it adding them?

Afaik, the defaults should suffice. It makes sense to mention that - I will add it.

Inês, I have added it in the latest revision now.

Afair the Snaps are automatically rebuilt when pushing new changes, even if those changes are only updating the NEWS.rst - why is it necessary to rebuilb the snap from the recipe page?

Jürgen, having to push a commit to get new binaries is busy-work (and, longer-term, it doesn't align with how we're likely to be doing things for builds of aggregated artifacts in Superdistro). Simply pushing a "rebuild" button is less effort.

Indeed, I was already thinking of how this will work in future. I have no concrete answer, but I assume some kind of log should be there.

From a user's perspective, it is a bit unsatisfying to have a version upgrade without release notes. But in case the version upgrade breaks something, they will reach out to us anyway.

In case of an issue, is there any way we can track down what was updated, except for hopefully not have deleted the email by security?

In some ways I agree regarding it being unsatisfying, but this is definitely the direction Canonical is going in for simple rebuilds of aggregates. (And the trade-off is that the release notes end up being more focused on direct code changes to lpci itself, and less cluttered with rebuilds.)

People with publishing access to `lpci` can look up and download individual snaps by revision using `snapcraft list-revisions lpci` and `snap download --revision=NNN lpci`, and you can then diff their manifests. So, for example:

```
$ snap download --revision=56 lpci
Fetching snap "lpci"
Fetching assertions for "lpci"
Install the snap with:
   snap ack lpci_56.assert
   snap install lpci_56.snap
$ snap download --revision=61 lpci
Fetching snap "lpci"
Fetching assertions for "lpci"
Install the snap with:
   snap ack lpci_61.assert
   snap install lpci_61.snap
$ diff -u <(unsquashfs -cat lpci_56.snap snap/manifest.yaml) <(unsquashfs -cat lpci_61.snap snap/manifest.yaml)
--- /dev/fd/63 2023-06-14 18:34:48.413456536 +0100
+++ /dev/fd/62 2023-06-14 18:34:48.417456536 +0100
@@ -1,5 +1,5 @@
 snapcraft-version: 7.3.1
-snapcraft-started-at: '2023-04-21T15:03:08.840305Z'
+snapcraft-started-at: '2023-05-02T07:18:55.004260Z'
 snapcraft-os-release-id: ubuntu
 snapcraft-os-release-version-id: '20.04'
 name: lpci
@@ -72,8 +72,8 @@
     - gcc-9-base=9.4.0-1ubuntu1~20.04.1
     - gcc-9=9.4.0-1ubuntu1~20.04.1
     - gcc=4:9.3.0-1ubuntu2
- - git-man=1:2.25.1-1ubuntu3.10
- - git=1:2.25.1-1ubuntu3.10
+ - git-man=1:2.25.1-1ubuntu3.11
+ - git=1:2.25.1-1ubuntu3.11
     - gpg-agent=2.2.19-3ubuntu2.2
     - gpg=2.2.19-3ubuntu2.2
     - gpgconf=2.2.19-3ubuntu2.2
@@ -209,8 +209,8 @@
     - libss2=1.45.5-2ubuntu1.1
     - libssh-4=0.9.3-2ubuntu2.2
     - libssh2-1=1.8.0-2.1build1
- - libssl-dev=1.1.1f-1ubuntu2.17
- - libssl1.1=1.1.1f-1ubuntu2.17
+ - libssl-dev=1.1.1f-1ubuntu2.18
+ - libssl1.1=1.1.1f-1ubuntu2.18
     - libstd-rust-1.65=1.65.0+dfsg0ubuntu1~llvm2-0ubuntu0.20.04
     - libstd-rust-dev=1.65.0+dfsg0ubuntu1~llvm2-0ubuntu0.20.04
     - libstdc++-9-dev=9.4.0-1ubuntu1~20.04.1
@@ -226,7 +226,7 @@
     - libwind0-heimdal=7.7.0+dfsg-1ubuntu1.4
     - libwrap0=7.6.q-30
     - libzstd1=1.4.4+dfsg-3ubuntu0.1
- - linux-libc-dev=5.4.0-147.164
+ - linux-libc-dev=5.4.0-148.165
     - lockfile-progs=0.1.18
     - login=1:4.8.1-1ubuntu5.20.04.4
     - logsave=1.45.5-2ubuntu1.1
@@ -238,7 +238,7 @@
     - ncurses-base=6.2-0ubuntu2
     - ncurses-bin=6.2-0ubuntu2
     - openssh-client=1:8.2p1-4ubuntu0.5
- - openssl=1.1.1f-1ubuntu2.17
+ - openssl=1.1.1f-1ubuntu2.18
     - optipng=0.7.7-1
     - passwd=1:4.8.1-1ubuntu5.20.04.4
     - patch=2.7.6-6
@@ -274,7 +274,7 @@
     - systemd=245.4-4ubuntu3.21
     - sysvinit-utils=2.96-2.1ubuntu1
     - tar=1.30+dfsg-7ubuntu0.20.04.3
- - tzdata=2023c-0ubuntu0.20.04.0
+ - tzdata=2023c-0ubuntu0.20.04.1
     - ubuntu-keyring=2020.02.11.4
     - udev=245.4-4ubuntu3.21
     - util-linux=2.34-0.1ubuntu9.3
@@ -309,8 +309,8 @@
     stage: []
     stage-packages:
     - apt=2.0.9
- - git-man=1:2.25.1-1ubuntu3.10
- - git=1:2.25.1-1ubuntu3.10
+ - git-man=1:2.25.1-1ubuntu3.11
+ - git=1:2.25.1-1ubuntu3.11
 ...

Here is the conversation on Mattermost that lead to this MP - https://chat.canonical.com/canonical/pl/a66mxng4ytnjudkx48kpwynrha.

This is the comment from William that convinced me that this is the way to go.

> Well, it's possible that the LP team has that rule, but snaps in general definitely don't. The snap version matches the upstream version number, which usually doesn't increment just because Ubuntu's published a CVE fix for a dependency.

Thanks Colin, that is helpful!

Thanks for the pointer, Guruprasad.