On Mon, Dec 06, 2010 at 07:50:34PM +0100, Martin Pitt wrote: > for the details. This would need to be changed to fetch the .changes > and debdiff from the PPA. I just checked, and fortunately it seems > that PPAs also generate debdiffs against the corresponding Ubuntu > release, so it shouldn't be too hard. Is this going to be a public > PPA? If not, then we need to rewrite queuediff from urllib to using > launchpadlib (there seems to be a method packageDiffUrl() which we can > use), and ~ubuntu-sru needs to be able to access the PPA.
Yes, it would be a public PPA. Embargoed security issues would go through a different process (the bulk of security issues are not embargoed). > The alternative approach would be to let the security team do the > review and copying, and run sru-accept.py by themselves, as I outlined > in > > > https://wiki.ubuntu.com/ArchiveAdministration#Copying%20PPA%20kernels%20to%20proposed%20(DRAFT) I would be prefer to keep the security team out of this process except for helping with CVE triage, PoC creation, and USN publications. > I guess you already have your own methods/scripts to review package > deltas, so exercising the steps 1 and 2 might actually be easier for > you as well? Well, generally I just read the debdiff before uploading. I've always got local copies of everything, so I don't really need a script for it. However, if it helps, here's what we use to pull down binaries, source, etc from PPAs: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/annotate/head%3A/scripts/sis-changes usually via: http://bazaar.launchpad.net/~ubuntu-security/ubuntu-security-tools/trunk/annotate/head%3A/repo-tools/copy_sppa_to_repos Which has docs at the top on downloading kernels, actually. :) -Kees -- Kees Cook Ubuntu Security Team -- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
