ubuntu-packaging-guide-team team mailing list archive
-
ubuntu-packaging-guide-team team
-
Mailing list archive
-
Message #00270
lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates into lp:ubuntu-packaging-guide
Jonathan Riddell has proposed merging lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates into lp:ubuntu-packaging-guide with lp:~jr/ubuntu-packaging-guide/03-packaging-from-scratch as a prerequisite.
Requested reviews:
Ubuntu Packaging Guide Team (ubuntu-packaging-guide-team)
Related bugs:
Bug #702005 in Ubuntu Packaging Guide: "Add article about "Stable Release Updates" / Security updates"
https://bugs.launchpad.net/ubuntu-packaging-guide/+bug/702005
For more details, see:
https://code.launchpad.net/~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates/+merge/68538
Add information on stable release updates
Tidy up the security article and make it follow UDD practices
--
https://code.launchpad.net/~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates/+merge/68538
Your team Ubuntu Packaging Guide Team is requested to review the proposed merge of lp:~jr/ubuntu-packaging-guide/04-security-and-stable-release-updates into lp:ubuntu-packaging-guide.
=== modified file 'index.rst'
--- index.rst 2011-07-20 12:21:21 +0000
+++ index.rst 2011-07-20 12:21:22 +0000
@@ -29,7 +29,7 @@
udd-intro
packaging-from-scratch
fixing-a-bug
- fixing-a-bug-security
+ security-and-stable-release-updates
Knowledge Base
--------------
=== renamed file 'fixing-a-bug-security.rst' => 'security-and-stable-release-updates.rst'
--- fixing-a-bug-security.rst 2011-07-20 11:05:17 +0000
+++ security-and-stable-release-updates.rst 2011-07-20 12:21:22 +0000
@@ -1,6 +1,9 @@
-===============================
-Fixing a security bug in Ubuntu
-===============================
+===================================
+Security and Stable Release Updates
+===================================
+
+Fixing a Security Bug in Ubuntu
+-------------------------------
Introduction
============
@@ -11,60 +14,24 @@
be updating the dbus package in Ubuntu 10.04 LTS (Lucid Lynx) for a security
update.
-Since security updates are most often in stable releases of Ubuntu, you'll need
-to add ``deb-src`` lines to your apt configuration for the stable releases you
-want to fix. So after :doc:`you are set up for Ubuntu
-Development</getting-set-up>`, you'll want to add something like this to
-``/etc/apt/sources.list.d/security-sources.list``::
-
- # lucid
- deb-src http://archive.ubuntu.com/ubuntu/ lucid main restricted universe multiverse
- deb-src http://archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe multiverse
- deb-src http://security.ubuntu.com/ubuntu/ lucid-security main restricted universe multiverse
-
-Then run the following command to put your changes into effect::
-
- $ sudo apt-get update
-
Obtaining the source
====================
+
In this example, we already know we want to fix the dbus package in Ubuntu
10.04 LTS (Lucid Lynx). So first you need to determine the version of the
package you want to download. We can use the ``rmadison`` to help with this::
- $ rmadison dbus
- dbus | 1.1.20-1ubuntu1 | hardy | source, amd64, i386
- dbus | 1.1.20-1ubuntu3.4 | hardy-security | source, amd64, i386
- dbus | 1.1.20-1ubuntu3.4 | hardy-updates | source, amd64, i386
+ $ rmadison dbus | grep lucid
dbus | 1.2.16-2ubuntu4 | lucid | source, amd64, i386
dbus | 1.2.16-2ubuntu4.1 | lucid-security | source, amd64, i386
dbus | 1.2.16-2ubuntu4.2 | lucid-updates | source, amd64, i386
- dbus | 1.4.0-0ubuntu1 | maverick | source, amd64, i386
- dbus | 1.4.0-0ubuntu1.1 | maverick-security | source, amd64, i386
- dbus | 1.4.0-0ubuntu1.2 | maverick-updates | source, amd64, i386
- dbus | 1.4.6-1ubuntu6 | natty | source, amd64, i386
- dbus | 1.4.12-4ubuntu2 | oneiric | source, amd64, i386
Typically you will want to choose the highest version for the release you want
to patch that is not in -proposed or -backports. Since we are updating Lucid's
-dbus, you'll download 1.2.16-2ubuntu4.2::
+dbus, you'll download 1.2.16-2ubuntu4.2 from lucid-updates::
- daniel@bert:~$ LC_ALL=C apt-get source dbus=1.2.16-2ubuntu4.2
- Reading package lists... Done
- Building dependency tree
- Reading state information... Done
- NOTICE: 'dbus' packaging is maintained in the 'Svn' version control system at:
- svn://svn.debian.org/svn/pkg-utopia/packages/unstable/dbus
- Need to get 1,613 kB of source archives.
- Get:1 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (dsc) [2,360 B]
- Get:2 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (tar) [1,576 kB]
- Get:3 http://archive.ubuntu.com/ubuntu/ lucid-updates/main dbus 1.2.16-2ubuntu4.2 (diff) [34.6 kB]
- Fetched 1,613 kB in 0s (9,222 kB/s)
- dpkg-source: info: extracting dbus in dbus-1.2.16
- dpkg-source: info: unpacking dbus_1.2.16.orig.tar.gz
- dpkg-source: info: applying dbus_1.2.16-2ubuntu4.2.diff.gz
- daniel@bert:~$
+ $ bzr branch ubuntu:lucid-updates/dbus
Patching the source
@@ -78,98 +45,17 @@
To create your patch using ``edit-patch``::
- daniel@bert:~$ cd dbus-1.2.16
- daniel@bert:~/dbus-1.2.16$ edit-patch 99-fix-a-vulnerability
- Normalizing patch path to 99-fix-a-vulnerability
- Normalizing patch name to 99-fix-a-vulnerability.patch
- Applying patch 00_dbus-quiesce-startup-errors.patch
- patching file bus/config-parser.c
-
- Applying patch 01_no-fatal-warnings.patch
- patching file dbus/dbus-internals.c
-
- Applying patch 02_dbus_monitor_no_sigint_handler.patch
- patching file tools/dbus-monitor.c
-
- Applying patch 10_dbus-1.0.1-generate-xml-docs.patch
- patching file Doxyfile.in
-
- Applying patch 20_kbsd_cmsgcred.patch
- patching file dbus/dbus-sysdeps-unix.c
-
- Applying patch 30_rt-as-needed.patch
- patching file bus/Makefile.am
- patching file bus/Makefile.in
-
- Applying patch 11_timeout_handling.patch
- patching file dbus/dbus-connection.c
-
- Applying patch 20_system_conf_limit.patch
- patching file bus/system.conf.in
-
- Applying patch 81-session.conf-timeout.patch
- patching file bus/session.conf.in
-
- Applying patch 99-CVE-2010-4352.patch
- patching file dbus/dbus-marshal-validate.c
- patching file dbus/dbus-marshal-validate.h
- patching file dbus/dbus-message-factory.c
- patching file doc/dbus-specification.xml
-
- Now at patch 99-CVE-2010-4352.patch
- Patch 99-fix-a-vulnerability.patch is now on top
- daniel@bert:/tmp/quilt-2oLXmw$ ls dbus/dbus-marshal-validate.c
- dbus/dbus-marshal-validate.c
- daniel@bert:/tmp/quilt-2oLXmw$ vi dbus/dbus-marshal-validate.c
+ $ cd dbus
+ $ edit-patch 99-fix-a-vulnerability
+
+This will apply the existing patches and put the packaging in a temporary
+directory. Now edit the files needed to fix the vulnerability. Often upstream
+will have provided a patch so you can apply that patch::
+
+ $ patch -p1 < /home/user/dbus-vulnerability.diff
Aftering making the necessary changes, you just hit Ctrl-D or type exit to
-leave the subshell. E.g.::
-
- daniel@bert:/tmp/quilt-2oLXmw$ exit
- exit
- File ./dbus/dbus-marshal-validate.c added to patch 99-fix-a-vulnerability.patch
- Refreshed patch 99-fix-a-vulnerability.patch
- Removing patch 99-fix-a-vulnerability.patch
- Restoring dbus/dbus-marshal-validate.c
-
- Removing patch 99-CVE-2010-4352.patch
- Restoring doc/dbus-specification.xml
- Restoring dbus/dbus-marshal-validate.h
- Restoring dbus/dbus-marshal-validate.c
- Restoring dbus/dbus-message-factory.c
-
- Removing patch 81-session.conf-timeout.patch
- Restoring bus/session.conf.in
-
- Removing patch 20_system_conf_limit.patch
- Restoring bus/system.conf.in
-
- Removing patch 11_timeout_handling.patch
- Restoring dbus/dbus-connection.c
-
- Removing patch 30_rt-as-needed.patch
- Restoring bus/Makefile.am
- Restoring bus/Makefile.in
-
- Removing patch 20_kbsd_cmsgcred.patch
- Restoring dbus/dbus-sysdeps-unix.c
-
- Removing patch 10_dbus-1.0.1-generate-xml-docs.patch
- Restoring Doxyfile.in
-
- Removing patch 02_dbus_monitor_no_sigint_handler.patch
- Restoring tools/dbus-monitor.c
-
- Removing patch 01_no-fatal-warnings.patch
- Restoring dbus/dbus-internals.c
-
- Removing patch 00_dbus-quiesce-startup-errors.patch
- Restoring bus/config-parser.c
-
- No patches applied
- Remember to add debian/patches/99-fix-a-vulnerability.patch debian/patches/series to
- a VCS if you use one
-
+leave the temporary shell.
Formatting the changelog and patches
====================================
@@ -187,6 +73,7 @@
* SECURITY UPDATE: [DESCRIBE VULNERABILITY HERE]
- debian/patches/99-fix-a-vulnerability.patch: [DESCRIBE CHANGES HERE]
- [CVE IDENTIFIER]
+ - [LINK TO UPSTREAM BUG OR SECURITY NOTICE]
- LP: #[BUG NUMBER]
...
@@ -215,5 +102,39 @@
#. Upgrade to the new version of the package from the previous version
#. Test that the new package fixes the vulnerability and does not introduce
any regressions
- #. Submit your work via a Launchpad bug being sure to mark the bug as a
- security bug and to subscribe ``ubuntu-security-sponsors``
+ #. Submit your work via a Launchpad merge proposal and file a Launchpad bug
+ being sure to mark the bug as a security bug and to subscribe
+ ``ubuntu-security-sponsors``
+
+If the security vulnerability is not yet public then do not file a merge
+proposal and ensure you mark the bug as private.
+
+The filed bug should include a Test Case, i.e. a comment which clearly shows how
+to recreate the bug by running the old version then how to ensure the bug no
+longer exists in the new version.
+
+The bug report should also confirm that the issue is fixed in Ubuntu versions
+newer than the one with the proposed fix (in the above example newer than
+Lucid). If the issue is not fixed in newer Ubuntu versions you should prepare
+updates for those versions too.
+
+
+Stable Release Updates
+-------------------------------
+
+We also allow updates to releases where a package has a high impact bug such as
+a severe regression from a previous release or a bug which could cause data
+loss. Due to the potential for such updates to themselves introduce bugs we
+only allow this where the change can be easily understood and verified.
+
+The process for Stable Release Updates is just the same as the proccess for
+security bugs except you should subscribe ``ubuntu-sru`` to the bug.
+
+The update will go into the ``proposed`` archive (for example
+``lucid-proposed``) where it will need to be checked that it fixes the problem
+and does not introduce new problems. After a week without reported problems it
+can be moved to ``updates``.
+
+See the `Stable Release Updates wiki page`_ for more information.
+
+.. _`Stable Release Updates wiki page`: https://wiki.kubuntu.org/StableReleaseUpdates
Follow ups
