Merge ubuntu-cve-tracker:making_this_only_opt into ubuntu-cve-tracker:master
Proposed by
Leonidas S. Barbosa
Status: | Merged |
---|---|
Merged at revision: | 273728d6c3708d88c7a460fcbd0849155d880d8d |
Proposed branch: | ubuntu-cve-tracker:making_this_only_opt |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
141 lines (+40/-21) 2 files modified
scripts/pull-usn-desc.py (+13/-7) scripts/sis-generate-usn (+27/-14) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu Security Team | Pending | ||
Review via email: mp+419989@code.launchpad.net |
Commit message
Making this_only_affected feature opt and fixing minor issues
Description of the change
kernel updates are one example of usn generating that does not require this kind of feature. So, making it opt is the better approach. This patch also fixes some small issues.
To post a comment you must log in.
On Thu, Apr 21, 2022 at 02:25:44AM -0000, Leonidas S. Barbosa wrote: cve-tracker: making_ this_only_ opt into ubuntu- cve-tracker: master. /code.launchpad .net/~ubuntu- security/ ubuntu- cve-tracker/ +git/ubuntu- cve-tracker/ +merge/ 419989
> Leonidas S. Barbosa has proposed merging ubuntu-
>
> Commit message:
> Making this_only_affected feature opt and fixing minor issues
>
> For more details, see:
> https:/
>
> kernel updates are one example of usn generating that does not require this kind of feature. So, making it opt is the better approach. This patch also fixes some small issues.
Thanks, I'm likely going to merge this as-is because I need it to finish
publishing kernels, but some comments and things that need fixing:
- I am okay with making the "only affected" check being the default, only-affects- check or some such flag for opting-out; prepare- kernel- usn.py script
have a --skip-
I can add that flag to the scripts/
that wraps sis-generate-usn (amongst other things).
- When I generate a USN for one kernel in focal and another in bionic
(different sources, same set of CVEs fixed), the resulting calls to
to pull-usn-desc.py ed up getting passed the following releases to
check: ['bionic', 'bionic', 'bionic', 'focal', 'focal', 'focal']
This is because there are three source packages associated with each
(signed) kernel that need to have binary packages they generate
incorporated into the USN, but no de-duplication of the releases
occurs.
- For similar reasons, when I enable the "affected check" on the
same set of two kernel source packages, the pull-usn-desc.py
throws a traceback, because it can't find source packages like
'linux-meta' and 'linux-signed' in the CVE file. This probably
should be handled a little more gracefully, though for non-kernel
situations where someone is trying to publish an emergency update
where the cve entry doesn't exist or doesn't include the source
package being updated, the disabling option can be given.
As a general rule, if someone is publishing updates that the touch
multiple source packages and have distinct sets of CVEs for the
same release, then for simplicity of data handling, they should be
separate USNs.
There's some work that could be done to make this work when applied
against kernel updates.
Thanks.
> -- cve-tracker: making_ this_only_ opt into ubuntu- cve-tracker: master.
> Your team Ubuntu Security Team is requested to review the proposed merge of ubuntu-
> diff --git a/scripts/ pull-usn- desc.py b/scripts/ pull-usn- desc.py pull-usn- desc.py pull-usn- desc.py OptionParser( ) option( "--prioritize" , help="Display 'critical' and 'high' first, negligible last", action= 'store_ true') option( "--cve" , metavar= "CVE-YYYY- NNNN", help="Request a given CVE's description or template", action='append', default=[]) option( "--releases" , help="List of releases CVEs affect to be filter used in description", action='append', default=[]) add_option( "--this- only-affected" , help="Makes this only affected feature option...
> index c38824b..6bb6ce1 100755
> --- a/scripts/
> +++ b/scripts/
> @@ -39,6 +39,8 @@ opter = optparse.
> opter.add_
> opter.add_
> opter.add_
> +opter.