** Summary changed:
- Make fips-check script aware of commit reverts
+ Drop fips-check script from trees
** Description changed:
[Impact]
When producing a new version of some kernels, we need to check for
changes that might affect FIPS certs and justify why a commit was kept.
+ For that, we have a fips-check script that lives under debian/ in Focal,
+ Jammy, Mantic and Noble.
- Currently there is a fips-check script that complains whenever a commit
- with crypto-related changes is found without any justification. However,
- this script does not account for cases where these commits are reverted
- and will fail even in these cases.
+ This script has been moved to `cranky`[1], so now there is no need to
+ have this script in the kernel Git trees as well.
+
+ [1] https://git.launchpad.net/~canonical-kernel/+git/kteam-
+ tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca
[Fix]
- After finding the commits that touch crypto source, also look for
- commits that revert them.
+ Remove the fips-check script and its calls.
[Test Plan]
- Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two
- commits that touch crypto source. Revert those commits (and do not
- forget to follow the convention of adding `UBUNTU: SAUCE` to the commit
- subject). Proceed to prepare the kernel, and at the `cranky close` step,
- confirm that it can be run without any errors.
+ Prepare a kernel and ensure that the `cranky close` step runs without
+ any errors.
[Where problems could occur]
- This only affects the preparation of FIPS kernels and not the kernel
- final binary.
+ This only affects the preparation of FIPS kernels and not the kernel final
binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle
relying on `cranky check-fips` to ensure that
+ we have it working well on the cranky side too.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2055083
Title:
Drop fips-check script from trees
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Jammy:
In Progress
Status in linux source package in Noble:
In Progress
Bug description:
[Impact]
When producing a new version of some kernels, we need to check for
changes that might affect FIPS certs and justify why a commit was
kept. For that, we have a fips-check script that lives under debian/
in Focal, Jammy, Mantic and Noble.
This script has been moved to `cranky`[1], so now there is no need to
have this script in the kernel Git trees as well.
[1] https://git.launchpad.net/~canonical-kernel/+git/kteam-
tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca
[Fix]
Remove the fips-check script and its calls.
[Test Plan]
Prepare a kernel and ensure that the `cranky close` step runs without
any errors.
[Where problems could occur]
This only affects the preparation of FIPS kernels and not the kernel final
binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle
relying on `cranky check-fips` to ensure that
we have it working well on the cranky side too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055083/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp