Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:merge_esm_kernel_changes into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. merge_esm_kernel_changes
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merged at revision: 0f20c5bee31dc0e7f3b00706a851db8942bec135
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:merge_esm_kernel_changes
Merge into: ubuntu-cve-tracker:master
Diff against target: 39 lines (+10/-4)
1 file modified
scripts/prepare-kernel-usn.py (+10/-4)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+443137@code.launchpad.net

Commit message

scripts/prepare-kernel-usn.py: add esm-ppa argument

 with '--esm-ppa' argument, we add the capability to create USNs for
 active and ESM kernel releases in the same execution. It simply checks
 if the new argument is present and if the release is ESM, if so, it add
 the necessary arguments for 'sis-changes' to download ESM kernel change
 files.

 before this commit, if we wanted to publish an ESM and active kernel
 release in the same USN we had to merge the changes manually after
 running the commands for EMS and active kernel releases separately.

Description of the change

In current execution of 'prepare-kernel-usn', if we have kernels in ESM
and active releases we must run the commands separately passing the ESM
ppa instead of the archive ppa argument so that sis-changes download the
changes properly and so we can merge then manually later.

for regular archive ppa release:
    ./scripts/prepare-kernel-usn.py -d -n -p Security bionic \
      bionic/linux-oracle: 4.15.0-1119.130
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
      --ppa ubuntu --pocket Security -r bionic \
      --download /tmp/prepare-kernel-usn-620qey9a/usn-bionic-linux-oracle \
      linux-oracle linux-meta-oracle linux-signed-oracle
    [...]

for ESM release:
    ./scripts/prepare-kernel-usn.py -d -n \
      --ppa ubuntu-esm/esm-infra-security --include-eol \
      xenial xenial/linux-oracle: 4.15.0-1119.130~16.04.1
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
      --include-eol --ppa ubuntu-esm/esm-infra-security -r xenial \
      --download /tmp/prepare-kernel-usn-ibstv2m4/usn-xenial-linux-oracle \
      linux-oracle linux-meta-oracle linux-signed-oracle
    [...]

and now with the proposed change:
    ./scripts/prepare-kernel-usn.py -d -n --esm-ppa \
      ubuntu-esm/esm-infra-security -p Security \
      xenial xenial/linux-oracle: 4.15.0-1119.130~16.04.1 \
      bionic/linux-oracle: 4.15.0-1119.130
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
    --ppa ubuntu-esm/esm-infra-security --include-eol -r xenial \
    --download /tmp/prepare-kernel-usn-p7yhhb2o/usn-xenial-linux-oracle \
    linux-oracle linux-meta-oracle linux-signed-oracle
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
    --ppa ubuntu --pocket Security -r bionic \
    --download /tmp/prepare-kernel-usn-p7yhhb2o/usn-bionic-linux-oracle \
    linux-oracle linux-meta-oracle linux-signed-oracle
    [...]

'sis-changes' is still working as expected, the commands are the same, but
are executed all together and will merge the changes in the same USN.

extra notes:
* if pocket ('-p') or ppa ('--ppa') is not passed at all, it also works.
  The default if nothing is passed is 'ubuntu' archive and 'security'
  pocket. It remains like that with the new argument, that is, if
  '--esm-ppa' is passed and nothing else, but non-esm releases are passed
  it will get the kernel changes for these releases from the archive.

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Nice! That's way more strightforward than the convoluted mechanisms I had been coming up with!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/prepare-kernel-usn.py b/scripts/prepare-kernel-usn.py
2index ac92da5..94b7879 100755
3--- a/scripts/prepare-kernel-usn.py
4+++ b/scripts/prepare-kernel-usn.py
5@@ -3,7 +3,7 @@
6 # Author: Kees Cook <kees@ubuntu.com>
7 # Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
8 # Author: Steve Beattie <sbeattie@ubuntu.com>
9-# Copyright: 2011,2012,2017 Canonical, Ltd
10+# Copyright: 2011-2023 Canonical, Ltd
11 # License: GPLv3
12 #
13 # Walk through the steps to do a standard kernel publication using the
14@@ -175,6 +175,7 @@ parser.add_argument('-F', '--force', action='store_true', default=False, help='O
15 parser.add_argument('--use-changes', action='store', default=None, help='Use previously downloaded changes files from prior run (sets --keep-changes as well')
16 parser.add_argument('--keep-changes', action='store_true', default=False, help='Keep changes files downloaded by sis-changes')
17 parser.add_argument("--ignore-released-cves-in-changelog", action='store_true', help="Filter out CVEs already marked as released")
18+parser.add_argument("--esm-ppa", action='store', help="Add kernels from ESM PPA if any, can be used when merging ESM with active kernels (sets --include-eol)")
19 parser.add_argument('release', action='store', nargs=1, help='Primary release name (e.g. xenial)')
20 parser.add_argument('kernel', action=KernelVersionAction, nargs='+', help='Kernel source package name and versions; e.g. "linux 4.4.0-42.62. Source package can be a release/name pair"')
21 args = parser.parse_args()
22@@ -274,9 +275,14 @@ try:
23 cmd.append('--include-eol')
24 if args.skip_binary_check:
25 cmd.append('--skip-build-check')
26- cmd += ['--ppa', args.ppa]
27- if args.pocket:
28- cmd+= ['--pocket', args.pocket]
29+ if args.esm_ppa and cve_lib.is_active_esm_release(release):
30+ cmd += ['--ppa', args.esm_ppa]
31+ if not args.include_eol:
32+ cmd.append('--include-eol')
33+ else:
34+ cmd += ['--ppa', args.ppa]
35+ if args.pocket:
36+ cmd += ['--pocket', args.pocket]
37 cmd += ['-r', release, '--download', intermediate_changes]
38 for kernel in kernels[release]:
39 cmd += [kernel]

Subscribers

People subscribed via source and target branches