** Summary changed: - Make fips-check script aware of commit reverts + Drop fips-check script from trees
** Description changed: [Impact] When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept. + For that, we have a fips-check script that lives under debian/ in Focal, + Jammy, Mantic and Noble. - Currently there is a fips-check script that complains whenever a commit - with crypto-related changes is found without any justification. However, - this script does not account for cases where these commits are reverted - and will fail even in these cases. + This script has been moved to `cranky`[1], so now there is no need to + have this script in the kernel Git trees as well. + + [1] https://git.launchpad.net/~canonical-kernel/+git/kteam- + tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca [Fix] - After finding the commits that touch crypto source, also look for - commits that revert them. + Remove the fips-check script and its calls. [Test Plan] - Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two - commits that touch crypto source. Revert those commits (and do not - forget to follow the convention of adding `UBUNTU: SAUCE` to the commit - subject). Proceed to prepare the kernel, and at the `cranky close` step, - confirm that it can be run without any errors. + Prepare a kernel and ensure that the `cranky close` step runs without + any errors. [Where problems could occur] - This only affects the preparation of FIPS kernels and not the kernel - final binary. + This only affects the preparation of FIPS kernels and not the kernel final binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle relying on `cranky check-fips` to ensure that + we have it working well on the cranky side too. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2055083 Title: Drop fips-check script from trees Status in linux package in Ubuntu: In Progress Status in linux source package in Jammy: In Progress Status in linux source package in Noble: In Progress Bug description: [Impact] When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept. For that, we have a fips-check script that lives under debian/ in Focal, Jammy, Mantic and Noble. This script has been moved to `cranky`[1], so now there is no need to have this script in the kernel Git trees as well. [1] https://git.launchpad.net/~canonical-kernel/+git/kteam- tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca [Fix] Remove the fips-check script and its calls. [Test Plan] Prepare a kernel and ensure that the `cranky close` step runs without any errors. [Where problems could occur] This only affects the preparation of FIPS kernels and not the kernel final binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle relying on `cranky check-fips` to ensure that we have it working well on the cranky side too. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055083/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp