Call for testing: 20.04.6 images!

[Lukasz Zemczak]

Hello everyone!

As already mentioned, this week we're trying our best to get the
good-old 20.04 respun with the new shim. Just recently we were able to
get some release candidate images built:

http://iso.qa.ubuntu.com/qatracker/milestones/443/builds

Please note as this is an exceptional extra point-release, we were
only respinning what was needed: amd64 images. All other architectures
should not be affected and do not need to be rebuilt.

If you have a moment, we'd appreciate some smoke-testing of these
images. As always, submit your test results to the tracker above when
you're done.

Thank you!

-- 
Łukasz 'sil2100' Zemczak
 Foundations Team
 Tools Squad Interim Engineering Manager
 lukasz.zemc...@canonical.com
 www.canonical.com

-- 
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

Re: Building grub2-unsigned from sources on bionic

[Dimitri John Ledkov]

Hi,

On Tue, 14 Mar 2023 at 22:52, Vishwanath Pai  wrote:
>
> Hi All,
>
> I noticed that with the latest update to grub2-unsigned, one of the build 
> dependencies is gcc-10.
> But gcc-10 is not available on bionic. We build ubuntu packages in our build 
> system from source but
> unfortunately we have no way to build the new grub2-unsigned package in our 
> bionic build
> environment.
>
> Also another dependent package: libfuse3-dev is similarly not available on 
> bionic. How is
> grub2-unsigned being built for the official ubuntu repositories?

src:grub2 provided in a given suite is currently buildable in a given
suite. It was changed to exclude building EFI platform code, which is
now built by src:grub2-unsigned, once on one series with one
toolchain, and reused in all ubuntu releases.

Due to multiple recent EFI only vulnerabilties, to reduce security
review and maintenance and debugging/compatiblity checking costs, it
was decided to split src:grub2 into src:grub2 (with all the unsigned
platforms) and src:grub2-unsigned which only contain EFI platform
bootloader without any userspace binaries or dependencies.

If you observe the builds on launchpad, you will notice that
src:grub2-unsigned is built once, and is packaged to ensure that it is
a free standing package without any hard runtime dependencies on the
host system. I.e. open pad.lv/u/grub2-unsigned, click on a desired
version and observe the build
https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu14.1
you will see that it was compiled in Kineitc once, and published in
all the suites identically bionic; focal; jammy; kinetic. The build
log for each architecture, clearly states that kinetic build-shcroot
was used, and that produced binaries can be published and install in
both older, same and newer series, due to unique engineering we did in
the build process of only that pacakge.

The result of that is signed by Canonical Secureboot keys, and
published from src:grub2-signed package which in turn has per-series
runtime dependencies and versions, but vendors the same identical
build of the signed EFI package.

It is on our plans to provide a gcc-10 toolchain backport, such that
each suite can rebuild the binary package again. However, this will
not reproduce the same result, and may introduce security
vulnerabilities that rely on the toolchain features provided during
build. To reproduce what we have done in the Ubuntu archive, imho it
best to redo what we did - stand up Kinetic builder, build the source
package in Kinetic chroot, sign it with your own keys, rebuild
grub2-signed from scratch pointng at your signed binaries.

Note, rebuilding grub2-unsigned alone is not very useful, as it is not
used on installed systems at all. As the binaries it produces in the
signing tarball, have to be signed (for example we use Launchpad
Signing Service provided in the PPA and Archive builders), and then
revendored back inside grub2-signed. I am assuming you have your own
secureboot signatures, and you rebuild -signed packages yourself with
your own signatures.

If you do not rebuild signed binaries, and do not resign them with
your own secureboot keys, and instead rely on industry wide CA
certificates and using Canonical signed secureboot signatures - then
you probably already skip rebuilding packages such shim / shim-signed,
grub2 / grub2-signed, linux / linux-signed' and thus should also skip
grub2-unsigned.

Please note, this is the same thing we have been doing with shim /
shim-signed packages previously. So please check what you have been
internally doing with shim / shim-signed packages.

If you do not use Secureboot at all, and the split of platform code
that is built by src:grub2 & src:grub2-unsigned of different version
is not useful to you, you could patch those to either use a stock
toolchain, or revert to making src:grub2 package to generate all
bootloader platforms. Depending on what you do, this might be a
reasonable approach, however that will not include fixes for all
publically known vulnerabilities affecting EFI builds.

Please let me know publicly or privately, if this helps, or if you
have any further questions.

-- 
okurrr,

Dimitri

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Building grub2-unsigned from sources on bionic

[Vishwanath Pai]

Hi All,

I noticed that with the latest update to grub2-unsigned, one of the build 
dependencies is gcc-10.
But gcc-10 is not available on bionic. We build ubuntu packages in our build 
system from source but
unfortunately we have no way to build the new grub2-unsigned package in our 
bionic build
environment.

Also another dependent package: libfuse3-dev is similarly not available on 
bionic. How is
grub2-unsigned being built for the official ubuntu repositories?

Thanks,
Vishwanath-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Neutron 18.6.0 - Wallaby on Ubuntu 20.04, neutron-dhcp-agent RPC unusually slow

[Zakhar Kirpichenko]

Hi!

We're running Openstack Wallaby on Ubuntu 20.04, 3 high-performance infra
nodes with a RabbitMQ cluster. I updated Neutron components to version
18.6.0, which recently became available in the Cloud Archive repository (
http://ubuntu-cloud.archive.canonical.com/ubuntu focal-updates/wallaby
main). Normally this would be an easy update, but this time
neutron-dhcp-agent doesn't work properly: at start DHCP configuration for
each port (and network) takes a lot longer than it used to with the
previous Neutron version (18.5.0), with a big number of networks and ports
things get rather bad. I tried to describe the issue in more detail here:
https://bugs.launchpad.net/cloud-archive/+bug/2011513

As for some reason I am unable to target a specific package version or
package in general, I don't know if anyone will notice that submission. I
would very much appreciate any advice, especially regarding:

1) submitting the bug report in a way that it specifically targets Ubuntu
20.04, Openstack Wallaby, and Neutron, so that the relevant developer(s)
are aware of this possible bug or regression;

2) getting the previous version of Neutron packages - I don't know if that
is possible, as the Cloud Archive repository only has the latest versions,
and it's unclear how to roll back from this update.

Thank you for your time!

Best regards,
Zakhar
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

[ubuntu-studio-devel] Ubuntu Studio daily CD health check

[noreply+ubuntu-cdimage]

This is a daily health check report on the Ubuntu Studio CD images.
If you have any questions, contact Colin Watson .

ubuntustudio/dvd: jammy-dvd-amd64.iso oversized by 123160064 bytes (5123160064)

-- 
ubuntu-studio-devel mailing list
ubuntu-studio-devel@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-studio-devel