ubuntu-security-tools

Merge ~rodrigo-zaiden/ubuntu-security-tools:fix-build-source-list into ubuntu-security-tools:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-security-tools
  3. fix-build-source-list
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Needs review
Proposed branch: ~rodrigo-zaiden/ubuntu-security-tools:fix-build-source-list
Merge into: ubuntu-security-tools:master
Diff against target: 45 lines (+17/-15)
1 file modified
build-tools/build-sources-list (+17/-15)
Reviewer Review Type Date Requested Status
Eduardo Barretto Needs Fixing
Review via email: mp+420586@code.launchpad.net

Commit message

UST: build-source-list: change build ESM PPAs

 From the ubuntu-security-tools.conf file, there are different ways
 to add an ESM release, if an user has a release in the format
 'release/esm-x' it was not building correctly.
 If the format 'esm-x/release' is used, it is not being handled.
 The exception case is for Precise and Trusty that should be created
 in the format 'release/esm'

Description of the change

I've seen some different ways to describe an ESM release in
~/.ubuntu-security-tools.conf, such as:
`esm-apps/focal` or `focal/esm-apps`

I'm using the first and I noticed that it was not building the PPAs
correctly, since this case was not handled.
I couldn't find a "correct" format, and as far as I checked, both seems
to be accepted.
In this commit, I'm trying to accept both and handle both.
I understand that in the ideal world, I could be generating the auth part
in the correct file, but for now the warning note remains, I'm just trying
to make this script usable in case someone tries it.

The only special case is for trusty and precise that should be handled
as release/esm since they only have one component. Actually, it could be
time to remove Precise, but I decided to first push with it as it was
still there and if someone thinks that we should remove it, I can create
a new commit.

Thank you!

To post a comment you must log in.
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

we should not support the format 'release/esm-{infra/apps}', please follow the new CVE file format which is:
PRODUCT/RELEASE

so it should be:
esm/precise [1]
esm/trusty [1]
esm-infra/xenial
esm-apps/xenial
esm-apps/bionic
esm-apps/focal
esm-apps/jammy

[1] Please note that precise and trusty we do have alias setup to accept trusty/esm and precise/esm and this was a decision so we don't have to touch all our CVEs and infrastructure as their ESM came before the new CVE file format.

review: Needs Fixing
Reply
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

> we should not support the format 'release/esm-{infra/apps}', please follow the
> new CVE file format which is:
> PRODUCT/RELEASE
>
> so it should be:
> esm/precise [1]
> esm/trusty [1]
> esm-infra/xenial
> esm-apps/xenial
> esm-apps/bionic
> esm-apps/focal
> esm-apps/jammy
>
> [1] Please note that precise and trusty we do have alias setup to accept
> trusty/esm and precise/esm and this was a decision so we don't have to touch
> all our CVEs and infrastructure as their ESM came before the new CVE file
> format.

Thanks Eduardo!

I've made a new commit where I support the format release/esm{-infra/-apps}
In the end, it is a cleaner code.
If you could give a new look at it, I appreciate.
Thanks!

Reply
Revision history for this message
Steve Beattie (sbeattie) wrote :

On Wed, Apr 27, 2022 at 06:25:04AM -0000, Eduardo Barretto wrote:
> we should not support the format 'release/esm-{infra/apps}', please follow the new CVE file format which is:
> PRODUCT/RELEASE
>
> so it should be:
> esm/precise [1]
> esm/trusty [1]
> esm-infra/xenial
> esm-apps/xenial
> esm-apps/bionic
> esm-apps/focal
> esm-apps/jammy

Cool, I missed when this was communicated. With the change that
Rodrigo is proposing, `esm/trusty` has to be the format used in
~/.ubuntu-security-tools.conf in order for a sources.list to be
generated that references the trusty ppa for ESM, having `trusty/esm`
results in it being skipped.

> [1] Please note that precise and trusty we do have alias setup to
> accept trusty/esm and precise/esm and this was a decision so we don't
> have to touch all our CVEs and infrastructure as their ESM came before
> the new CVE file format.

The esm/trusty alias does not work correctly for umt download:

$ umt search tzdata | grep trusty
trusty/esm: 2022a-0ubuntu0.14.04+esm1, Pocket: release, Component: main
trusty: 2019a-0ubuntu0.14.04, Pocket: updates, Component: main
$ umt download tzdata -r esm/trusty
Skipping release 'esm/trusty': package not found.
$ umt download tzdata -r trusty/esm
Downloading 'tzdata' version '2022a-0ubuntu0.14.04+esm1' for release 'trusty/esm'.

(This happens regardless of whether ~/.ubuntu-security-tools.conf
contains esm/trusty or trusty/esm in `release_list`.)

--
Steve Beattie
<email address hidden>

Reply
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hey Rodrigo,

On Wed, Apr 27, 2022 at 01:29:44PM -0000, Rodrigo Figueiredo Zaiden wrote:
> > we should not support the format 'release/esm-{infra/apps}', please follow the
> > new CVE file format which is:
> > PRODUCT/RELEASE
> >
> > so it should be:
> > esm/precise [1]
> > esm/trusty [1]
> > esm-infra/xenial
> > esm-apps/xenial
> > esm-apps/bionic
> > esm-apps/focal
> > esm-apps/jammy
> >
> > [1] Please note that precise and trusty we do have alias setup to accept
> > trusty/esm and precise/esm and this was a decision so we don't have to touch
> > all our CVEs and infrastructure as their ESM came before the new CVE file
> > format.
>
> I've made a new commit where I support the format release/esm{-infra/-apps}
> In the end, it is a cleaner code.
> If you could give a new look at it, I appreciate.

I think there's a bit of confusion about what Eduardo was trying to say.

For xenial and newer, only the formats `esm-{infra,apps}/RELEASE`
should be accepted. For trusty `esm/trusty` and `trusty/esm` both
need to work (in particular the latter format); in this case either
should generate the private ppa entry for trusty. With the revised
change it's only generating a trusty ppa line if `esm/trusty` is used.

That said, feel free to drop references to precise. It is gone and not
coming back.

Thanks!

--
Steve Beattie
<email address hidden>

Reply
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

Thanks Steve and Eduardo for discussing the idea.

Just pushed a new review adding support to trusty/esm and removing precise.
Decided to go in a "hardcoded" style for trysty/esm for a better readability instead of trying to play with regex for all cases: trusty/esm and esm[-infra|-apps]/release.
esm/trusty is still supported although it can break stuff around `umt download`.

Thanks for revisiting it whenever possible.

Reply

Unmerged commits

64d9697... by Rodrigo Figueiredo Zaiden

UST: build-source-list: build ESM PPAs

    Handle trusty/esm and esm{-infra/-apps}/release,
    including esm/trusty and remove precise esm.

49f76a5... by Rodrigo Figueiredo Zaiden

UST: build-source-list: change build ESM PPAs

  As per the new CVE format, the accepted is esm{-infra/-apps/release}
  So we can clean a chunck for code and handle only esm{}/x cases.

f9597dd... by Rodrigo Figueiredo Zaiden

UST: build-source-list: change build ESM PPAs

 From the ubuntu-security-tools.conf file, there are different ways
 to add an ESM release, if an user has a release in the format
 'release/esm-x' it was not building correctly.
 If the format 'esm-x/release' is used, it is not being handled.
 The exception case is for Precise and Trusty that should be created
 in the format 'release/esm'

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/build-tools/build-sources-list b/build-tools/build-sources-list
2index bb91469..baa0711 100755
3--- a/build-tools/build-sources-list
4+++ b/build-tools/build-sources-list
5@@ -114,23 +114,25 @@ EOM
6 ppa_overlay="image"
7 emit_ppa_overlay "snappy-dev" "$ppa_overlay" "${ppa_overlay_release}"
8
9- # ESM overlay ppas
10- elif echo "$r" | grep -q "/esm" ; then
11- ppa_overlay_release=$(echo "$r" | cut -f 1 -d '/')
12- if [ "$ppa_overlay_release" = "precise" ] ; then
13- ppa_overlay="esm"
14- emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"
15- echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
16- else
17- # newer ESM releases are in the esm-infra-security and
18- # esm-apps-security ppas
19+ # Trusty ESM overlay ppa
20+ elif echo "$r" | grep -q "trusty/esm" ; then
21+ emit_private_ppa_overlay "ubuntu-esm" "esm-infra-security" "trusty"
22+ echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
23+
24+ # ESM Infra/Apps overlay ppas
25+ # in the format "esm{-infra|-apps}/<release>"
26+ elif echo "$r" | grep -qe "esm.*/" ; then
27+ ppa_overlay_release=$(echo "$r" | cut -f 2 -d '/')
28+ if [ "$ppa_overlay_release" = "trusty" ] ; then
29+ # Trusty ESM release is in ubuntu-esm/esm-infra-security
30 ppa_overlay="esm-infra-security"
31- emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"
32- echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
33- ppa_overlay="esm-apps-security"
34- emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"
35- echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
36+ else
37+ ppa_esm_component=$(echo "$r" | cut -f 1 -d '/')
38+ ppa_overlay="$ppa_esm_component-security"
39 fi
40+ emit_private_ppa_overlay "ubuntu-esm" "$ppa_overlay" "${ppa_overlay_release}"
41+ echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918"
42+
43 # normal ubuntu releases.
44 else
45 if [ "$r" = "precise" ] ; then

Subscribers

People subscribed via source and target branches