Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:merge_esm_kernel_changes into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. merge_esm_kernel_changes
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merged at revision: 0f20c5bee31dc0e7f3b00706a851db8942bec135
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:merge_esm_kernel_changes
Merge into: ubuntu-cve-tracker:master
Diff against target: 39 lines (+10/-4)
1 file modified
scripts/prepare-kernel-usn.py (+10/-4)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+443137@code.launchpad.net

Commit message

scripts/prepare-kernel-usn.py: add esm-ppa argument

 with '--esm-ppa' argument, we add the capability to create USNs for
 active and ESM kernel releases in the same execution. It simply checks
 if the new argument is present and if the release is ESM, if so, it add
 the necessary arguments for 'sis-changes' to download ESM kernel change
 files.

 before this commit, if we wanted to publish an ESM and active kernel
 release in the same USN we had to merge the changes manually after
 running the commands for EMS and active kernel releases separately.

Description of the change

In current execution of 'prepare-kernel-usn', if we have kernels in ESM
and active releases we must run the commands separately passing the ESM
ppa instead of the archive ppa argument so that sis-changes download the
changes properly and so we can merge then manually later.

for regular archive ppa release:
    ./scripts/prepare-kernel-usn.py -d -n -p Security bionic \
      bionic/linux-oracle: 4.15.0-1119.130
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
      --ppa ubuntu --pocket Security -r bionic \
      --download /tmp/prepare-kernel-usn-620qey9a/usn-bionic-linux-oracle \
      linux-oracle linux-meta-oracle linux-signed-oracle
    [...]

for ESM release:
    ./scripts/prepare-kernel-usn.py -d -n \
      --ppa ubuntu-esm/esm-infra-security --include-eol \
      xenial xenial/linux-oracle: 4.15.0-1119.130~16.04.1
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
      --include-eol --ppa ubuntu-esm/esm-infra-security -r xenial \
      --download /tmp/prepare-kernel-usn-ibstv2m4/usn-xenial-linux-oracle \
      linux-oracle linux-meta-oracle linux-signed-oracle
    [...]

and now with the proposed change:
    ./scripts/prepare-kernel-usn.py -d -n --esm-ppa \
      ubuntu-esm/esm-infra-security -p Security \
      xenial xenial/linux-oracle: 4.15.0-1119.130~16.04.1 \
      bionic/linux-oracle: 4.15.0-1119.130
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
    --ppa ubuntu-esm/esm-infra-security --include-eol -r xenial \
    --download /tmp/prepare-kernel-usn-p7yhhb2o/usn-xenial-linux-oracle \
    linux-oracle linux-meta-oracle linux-signed-oracle
    [...]
    /home/rodrigo/git-pulls/ubuntu-cve-tracker/scripts/sis-changes \
    --ppa ubuntu --pocket Security -r bionic \
    --download /tmp/prepare-kernel-usn-p7yhhb2o/usn-bionic-linux-oracle \
    linux-oracle linux-meta-oracle linux-signed-oracle
    [...]

'sis-changes' is still working as expected, the commands are the same, but
are executed all together and will merge the changes in the same USN.

extra notes:
* if pocket ('-p') or ppa ('--ppa') is not passed at all, it also works.
  The default if nothing is passed is 'ubuntu' archive and 'security'
  pocket. It remains like that with the new argument, that is, if
  '--esm-ppa' is passed and nothing else, but non-esm releases are passed
  it will get the kernel changes for these releases from the archive.

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

Nice! That's way more strightforward than the convoluted mechanisms I had been coming up with!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/prepare-kernel-usn.py b/scripts/prepare-kernel-usn.py
index ac92da5..94b7879 100755
--- a/scripts/prepare-kernel-usn.py
+++ b/scripts/prepare-kernel-usn.py
@@ -3,7 +3,7 @@
3# Author: Kees Cook <kees@ubuntu.com>3# Author: Kees Cook <kees@ubuntu.com>
4# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>4# Author: Marc Deslauriers <marc.deslauriers@ubuntu.com>
5# Author: Steve Beattie <sbeattie@ubuntu.com>5# Author: Steve Beattie <sbeattie@ubuntu.com>
6# Copyright: 2011,2012,2017 Canonical, Ltd6# Copyright: 2011-2023 Canonical, Ltd
7# License: GPLv37# License: GPLv3
8#8#
9# Walk through the steps to do a standard kernel publication using the9# Walk through the steps to do a standard kernel publication using the
@@ -175,6 +175,7 @@ parser.add_argument('-F', '--force', action='store_true', default=False, help='O
175parser.add_argument('--use-changes', action='store', default=None, help='Use previously downloaded changes files from prior run (sets --keep-changes as well')175parser.add_argument('--use-changes', action='store', default=None, help='Use previously downloaded changes files from prior run (sets --keep-changes as well')
176parser.add_argument('--keep-changes', action='store_true', default=False, help='Keep changes files downloaded by sis-changes')176parser.add_argument('--keep-changes', action='store_true', default=False, help='Keep changes files downloaded by sis-changes')
177parser.add_argument("--ignore-released-cves-in-changelog", action='store_true', help="Filter out CVEs already marked as released")177parser.add_argument("--ignore-released-cves-in-changelog", action='store_true', help="Filter out CVEs already marked as released")
178parser.add_argument("--esm-ppa", action='store', help="Add kernels from ESM PPA if any, can be used when merging ESM with active kernels (sets --include-eol)")
178parser.add_argument('release', action='store', nargs=1, help='Primary release name (e.g. xenial)')179parser.add_argument('release', action='store', nargs=1, help='Primary release name (e.g. xenial)')
179parser.add_argument('kernel', action=KernelVersionAction, nargs='+', help='Kernel source package name and versions; e.g. "linux 4.4.0-42.62. Source package can be a release/name pair"')180parser.add_argument('kernel', action=KernelVersionAction, nargs='+', help='Kernel source package name and versions; e.g. "linux 4.4.0-42.62. Source package can be a release/name pair"')
180args = parser.parse_args()181args = parser.parse_args()
@@ -274,9 +275,14 @@ try:
274 cmd.append('--include-eol')275 cmd.append('--include-eol')
275 if args.skip_binary_check:276 if args.skip_binary_check:
276 cmd.append('--skip-build-check')277 cmd.append('--skip-build-check')
277 cmd += ['--ppa', args.ppa]278 if args.esm_ppa and cve_lib.is_active_esm_release(release):
278 if args.pocket:279 cmd += ['--ppa', args.esm_ppa]
279 cmd+= ['--pocket', args.pocket]280 if not args.include_eol:
281 cmd.append('--include-eol')
282 else:
283 cmd += ['--ppa', args.ppa]
284 if args.pocket:
285 cmd += ['--pocket', args.pocket]
280 cmd += ['-r', release, '--download', intermediate_changes]286 cmd += ['-r', release, '--download', intermediate_changes]
281 for kernel in kernels[release]:287 for kernel in kernels[release]:
282 cmd += [kernel]288 cmd += [kernel]

Subscribers

People subscribed via source and target branches