Ubuntu CVE Tracker

Merge ubuntu-cve-tracker:adding_special_ppas_flag into ubuntu-cve-tracker:master

  1. Git
  2. lp:ubuntu-cve-tracker
  3. adding_special_ppas_flag
  4. Merge into master
Proposed by Leonidas S. Barbosa
Status: Rejected
Rejected by: Eduardo Barretto
Proposed branch: ubuntu-cve-tracker:adding_special_ppas_flag
Merge into: ubuntu-cve-tracker:master
Diff against target: 45 lines (+13/-0)
1 file modified
scripts/sis-generate-usn (+13/-0)
Reviewer Review Type Date Requested Status
Eduardo Barretto Disapprove
Steve Beattie Pending
Review via email: mp+418321@code.launchpad.net

Commit message

Adding --special-ppa flag to sis-generate-usn script in order to address some ppas that are special for us

Description of the change

e.g: canonical-chromium-browser/ubuntu/stage, is the one were Osmos builds chromium and while doing a template generate we need to check and be sure we fill all flags correctly, such as --pocket-all.

This patch adds this flag in order to check against a special ppa list and add the --pocket-all flags as it needs, also could be used in future features too.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I'd love a nice single list of all our special ppas somewhere, this might be a nice step towards that. Do we have ppas that we can't publicly disclose?

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote (last edit ):

> I'd love a nice single list of all our special ppas somewhere, this might be a
> nice step towards that. Do we have ppas that we can't publicly disclose?
I don't know, to be honest I only know that one now because the last chromium-browser update I did. And AFAIK it is a public one. Not sure by example how Osmon handles embargoed issues there.
I also believe that these ppas will always depends on who is the one that is handling such packages updates. I'm not sure if these ppas changes hand to hands. Maybe we need to discuss these scenarios better to patch it better too.

Revision history for this message
Steve Beattie (sbeattie) wrote :

On Mon, Apr 04, 2022 at 06:27:01PM -0000, Leonidas S. Barbosa wrote:
> > I'd love a nice single list of all our special ppas somewhere, this might be a
> > nice step towards that. Do we have ppas that we can't publicly disclose?

We may at some point.

> I don't, to be honest I only know that one now because the last chromium-browser update I did.
> I also believe that these ppas will always depends on who is the one that is handling such packages updates. I'm not sure if these ppas changes hand to hands. Maybe we need to discuss these scenarios better to patch it better too.

Some others we have:

  browser/tbird ppa(s?)
  openjdk-security

I'm less familiar with the process around the first ones, but on the
second, we have started binary copying debs to the security-proposed ppa
to get autopkgtest coverage and then publishing from there. But if we
ever have a high priority issue or regression where we need to publish
quickly, we'd likely skip that step.

--
Steve Beattie
<email address hidden>

Revision history for this message
Steve Beattie (sbeattie) wrote :

On Mon, Apr 04, 2022 at 06:36:29PM -0000, Steve Beattie wrote:
> On Mon, Apr 04, 2022 at 06:27:01PM -0000, Leonidas S. Barbosa wrote:
> > > I'd love a nice single list of all our special ppas somewhere, this might be a
> > > nice step towards that. Do we have ppas that we can't publicly disclose?
>
> We may at some point.
>
> > I don't, to be honest I only know that one now because the last chromium-browser update I did.
> > I also believe that these ppas will always depends on who is the one that is handling such packages updates. I'm not sure if these ppas changes hand to hands. Maybe we need to discuss these scenarios better to patch it better too.
>
> Some others we have:
>
> browser/tbird ppa(s?)
> openjdk-security
>
> I'm less familiar with the process around the first ones, but on the
> second, we have started binary copying debs to the security-proposed ppa
> to get autopkgtest coverage and then publishing from there. But if we
> ever have a high priority issue or regression where we need to publish
> quickly, we'd likely skip that step.

Oh one more set of packages that don't go through our normal
processes: kernel updates, but for those I publish my USNs based off
the information that has landed in the Ubuntu archive; *occasionally*
I have prepared updates based on ppa contents for those, but mostly
as a pre-fetching stage.

--
Steve Beattie
<email address hidden>

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote (last edit ):

...
> Oh one more set of packages that don't go through our normal
> processes: kernel updates, but for those I publish my USNs based off
> the information that has landed in the Ubuntu archive; *occasionally*
> I have prepared updates based on ppa contents for those, but mostly
> as a pre-fetching stage.
 my main concern about these 'special' ppas are the fact that they can change during time (?) So pin them in a list makes it in two works to maintain. The alternative should be pass it as parameter, but we want it to be check against, In this point I believe we should have a kind of guidelines for these packages that are build out-side our sec ppas/normal-ppas/ so we could track it better. The copy binary to our ppas is a thing, but as Steve said, if in a rush, one wants to skip it.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Discussed with Leo about this PR. Since it is from 2022 and we haven't hit this case anymore we will reject it, but in the future we might add such flag in a new PR.

review: Disapprove

Unmerged commits

64dd656... by Leonidas S. Barbosa

Adding special-ppa flag in order to handle ppas that are special for us and we want to adress, like ~canonical-chromium-browser

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/sis-generate-usn b/scripts/sis-generate-usn
2index d81a2b2..fef6871 100755
3--- a/scripts/sis-generate-usn
4+++ b/scripts/sis-generate-usn
5@@ -36,6 +36,7 @@ opter.add_option("--ignore-cves", metavar="CVES", help="Comma separated list of
6 opter.add_option("--embargoed", help="Include embargoed directory when looking for CVE descriptions", action='store_true')
7 opter.add_option("--include-eol", help="Include EoL releases", action='store_true')
8 opter.add_option("--binaries-json", help="Path to JSON mapping of binary packages to versions (can repeat, default: binaries.json)", action='append', default=[])
9+opter.add_option("--special-ppa", help="Forces a check for special ppas we want to address in the template", action='store_true')
10 (opt, args) = opter.parse_args()
11
12 if len(args) < 2:
13@@ -338,6 +339,14 @@ def is_origin_ppa_for_archive(origin):
14 ]
15 return origin in default_ppas
16
17+# return True if ppa is a special one.
18+# Some ppas are 'special' because they are used to build specific packages
19+# such as chromium-browser one.
20+def is_special_ppa(ppa):
21+ special_ppas = [
22+ "~canonical-chromium-builds/ubuntu/stage"
23+ ]
24+ return ppa in special_ppas
25
26 # Determine where to expect the files to live (archive vs ports)
27 def base_to_url(base, release, arch):
28@@ -863,6 +872,8 @@ for release in releases:
29 pocket = "--pocket %s" % binaries[source][release][deb]['pocket']
30 elif is_origin_ppa_for_archive(binaries[source][release][deb]['origin']):
31 pocket = "--pocket security"
32+ elif opt.special_ppa and is_special_ppa(binaries[source][release][deb]['origin']):
33+ pocket = "--pocket security"
34 print(' usn.py --db "$DB" $USN --release %s --package %s --binary-version %s %s' % (release, deb, version, pocket))
35 print()
36
37@@ -914,6 +925,8 @@ for release in releases:
38 pocket = "--pocket-all %s" % binaries[source][release][deb]['pocket']
39 elif is_origin_ppa_for_archive(binaries[source][release][deb]['origin']):
40 pocket = "--pocket-all security"
41+ elif opt.special_ppa and is_special_ppa(binaries[source][release][deb]['origin']):
42+ pocket = "--pocket-all security"
43 print(' usn.py --db "$DB" $USN --release %s --package %s --all-binary-version %s --all-binary-source %s %s'
44 % (release, deb, version, source, pocket))
45 print()

Subscribers

People subscribed via source and target branches