~ubuntu-kernel/ubuntu/+source/linux-snap/+git/xenial:master

Last commit made on 2021-06-29
Get this branch:
git clone -b master https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux-snap/+git/xenial
Members of Ubuntu Kernel Repositories can upload to this branch. Log in for directions.

Branch merges

Branch information

Recent commits

34e7365... by Jesse Sung

Copy host trusted.gpg keyring only when it exists

The file may not be available when the snap doesn't build on Launchpad.

Signed-off-by: Wen-chien Jesse Sung <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>

c87498d... by Dimitri John Ledkov

Copy host trusted.gpg keyring into the chroot

Launchpad xenial snap builds now have ubuntu-esm repositories
enabled. And now apt-get -y update started to produce error since the
GPG keys of the sources.list from the host, are not available in the
chroot. Fix this by copying the host trusted.gpg keyring into the
chroot.

Signed-off-by: Dimitri John Ledkov <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

d35b8f6... by Andy Whitcroft

Find the meta package in pocket using the abi as a key

If the version we are trying to build is the version in -updates but the
version is higher in -proposed we will install the wrong version and bail
out. Rather find the appropriate meta package version which will install
the kernel we are trying to package and install that explicitly by version.

Signed-off-by: Andy Whitcroft <email address hidden>

cbb5c0a... by Kleber Sacilotto de Souza

Fix version matching for signed re-uploads

When a signed package needs to be re-uploaded keeping the same ABI
number, a '+signedN' suffix is added to its version number. This is
causing problems for the snap build which detects a mismatch with the
version requested by the snapcraft.yaml file. Fix it by considering
any '+*' suffix as valid suffix when performing the match with the
installed linux image package.

Acked-by: Andy Whitcroft <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Andy Whitcroft <email address hidden>

df24c37... by Dimitri John Ledkov

Pin any PPAs to the same priority as -updates.

PPAs only have "release" pocket, and do not have -updates, thus at the
moment they get pinned down lower than -updates. Normally, the
snappy-dev/image ppa should be treated on the same priority as
-updates.

Signed-off-by: Dimitri John Ledkov <email address hidden>
Acked-by: Paolo Pisati <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>

11e5507... by Tyler Hicks

Use authenticated repositories and packages

BugLink: https://launchpad.net/bugs/1836041

Ensure that all of the additionally configured repositories and
installed packages needed to construct a kernel snap are authenticated
by apt.

The Makefile improperly used the --allow-unauthenticated apt option
when setting up the build chroot. An attacker with control over the
network between the build machine and the Ubuntu archive or the
snappy-dev/image PPA could use this to perform a man-in-the-middle
attack to install malicious packages in the build chroot.

Such an attack is unlikely for the official Ubuntu kernel snap builds
since the Launchpad buildd infrastructure and the network communication
with the Ubuntu archive and Launchpad PPAs is tightly controlled.
However, end-users may use this Makefile to build their own kernel snaps
and have no guarantees about the communication with the archive or PPAs.

Store a copy of the snappy-dev/image PPA's public signing key alongside
the Makefile so that the public signing key can be added to apt as part
of the build process. Finally, remove all uses of
--allow-unauthenticated when invoking apt commands.

CVE-2019-11480

Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Andy Whitcroft <email address hidden>
[smb: Adjusted sequence to match those required in later releases]
Signed-off-by: Stefan Bader <email address hidden>

2c628e9... by Stefan Bader

Drop linux-signed case

Picking up the new packaging code in the kernel, there will no longer
be a signed kernel package. Taking that section from the Bionic
deb2snap Makefile.

Signed-off-by: Stefan Bader <email address hidden>

ddbb4df... by Robert Liu

deb to snap: install updates before building

BugLink: https://launchpad.net/bugs/1808768

Install updates after deboostrap to avoid using out-of-date packages.

Signed-off-by: Robert Liu <email address hidden>
Acked-by: Wen-chien Jesse Sung <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

16aef0e... by Kleber Sacilotto de Souza

deb to snap: Ignore missing abi file

The changes for LP: #1806380 (linux-buildinfo: pull out ABI information
into its own package) moved the abi files from /boot/ to
/usr/lib/linux/<abi_release>-<flavour>/. The ABI file however is not
critical and was just included for completeness. So just copy it for
those cases it is still found in /boot/ and ignore the case when it is
not found.

Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

dfb69f2... by Jesse Sung

deb to snap: add nvme and hid modules to initrd for amd64

BugLink: https://launchpad.net/bugs/1802260

Signed-off-by: Wen-chien Jesse Sung <email address hidden>
Acked-by: Paolo Pisati <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>