Hi Alex, Thank you. See responses below
On Tue, 11 Apr 2023 at 02:19, Alex Murray <alex.mur...@canonical.com> wrote: > Hi folks, > > On Fri, 2023-04-07 at 11:27:47 +0100, Phil Roche wrote: > > > Hi Brian, > > > > On Thu, 6 Apr 2023 at 20:21, Brian Murray <br...@ubuntu.com> wrote: > > > >> On Thu, Mar 23, 2023 at 02:50:55PM +0000, Phil Roche wrote: > >> > Hi all, > >> > > >> > I work on the Canonical Public Cloud (CPC) team responsible for the > build > >> > and publication of all the Ubuntu cloud images > >> > <http://cloud-images.ubuntu.com/> and all their supported > derivatives in > >> > the major public and private clouds. > >> > > >> > As 23.04 release day fast approaches, I would like to start a new > thread > >> on > >> > CPC's involvement in release day decisions. > >> > > >> > Reflecting on the last Ubuntu 22.10 release, from a cloud image > >> > perspective, it did not go very well and we were a few days behind the > >> main > >> > desktop/server release, finally releasing on October 22nd instead of > >> > October 20th. This was due to the decision by CPC to wait for the high > >> > priority CVE https://ubuntu.com/security/CVE-2022-2602 changes to > land > >> in > >> > the Kinetic kernel. > >> > >> As I understand it the problem you'd like to address is not having the > >> images (cloud, desktop, and server) released on different dates is that > >> correct? > >> > > > > Exactly this yes. > > > > > >> > The use cases for cloud images are not the same as for server and > desktop > >> > and releasing with a vulnerable kernel did not make sense even if we > knew > >> > an updated kernel that people could upgrade to was forthcoming. > >> > > >> > The current release process is centered on ISOs with cloud images > being > >> > downstream but I feel that given Ubuntu cloud images’ usage a > situation > >> > like the above with CVE-2022-2602 should have warranted a no-go > decision. > >> > >> I believe the CPC team did make a no-go decision by opting to release > >> after the rest of the images. However, what I think the CPC team really > >> wants is to have any critical issue with the cloud, desktop, or server > >> products which results in a no-go for that product to result in it being > >> a no-go for all three of those products and likely flavors as a > >> consequence. Am I understanding your intent correctly? > >> > > > > Correct > > > > > >> > >> For what its worth for as long as I've been involved in the release > >> process, which isn't that long really, I'm not aware of a case where > >> an issue with the server images ended up delaying desktop images or vice > >> versa. The point being I'm not certain there is any precedent for my > >> interpretation of what the CPC team is asking to have implemented. > >> > > > > Yes, for the years I have been involved, the 22.10 release was the first > I > > can remember where a high priority CVE landed on the same day as > > release which is probably the only scenario in which CPC might be voting > > for a no-go. > > > > There will always be new CVEs discovered, which will therefore affect > the different installer media / cloud images etc which have older, > unpatched versions of various packages and hence will be affected. > > As Steve said earlier in this thread, given that cloud images in > particular are respun much more frequently than installer images, I > would have thought it would be less of a concern for cloud images that > they may contain a high priority vulnerability compared to the installer > images. Unfortunately, we have found that our partners view high and critical in the same way so I am hesitant to publish images with high-priority known and public CVEs. Perhaps my suggestion to officially allow security uploads to unreleased release prior to release will render my concerns moot unless we have a CVE become public on release day itself. > So from a security point of view I don't see a lot of value in delaying > the release of an image / installer media for a given vulnerability > (unless it is something that relates to secure boot etc and hence is > much more fundamental to the trust of the image itself) since this is a > game of whack-a-mole. > Can I assume such CVEs would be marked as critical given their nature? > > > If the consensus is that neither server, desktop or cloud should block > each > > other on > > release day and that there is no longer an assumption that they will > > release on release > > day then I am +1 but I would like us to state that clearly so we have no > > confusion or > > need for debate on release day. > > My preference would be that we only choose to delay under exceptional > circumstances - ie. a critical priority CVE (not high) [1] and in that > case we delay all media for consistency. > Perhaps we can amend my proposal from https://lists.ubuntu.com/archives/ubuntu-release/2023-April/005607.html server, desktop and cloud will release in lockstep on release day *. > * exceptions to this are where a high or critical priority CVE becomes > public before or on release day. If this were to occur then the server, > desktop and cloud images might release independently while waiting for > updated builds to address the CVE. to server, desktop and cloud will release in lockstep on release day *. * Exceptions to this are where a high or critical priority CVE becomes public before or on release day. For critical priority CVEs then release of server, desktop and cloud will be blocked until new images can be built addressing the CVE. For high priority CVEs, the decision to block release will be made on a per product (server, desktop and cloud) basis and will depend on the nature of the CVE which might result in images not being released on the same day. Again, thank you all for your input. My main goal of this thread is to come to a consensus on what should happen if a rerun of CVE-2022-2602 were to occur and to avoid any need for debate or confusion on release day. Thanks, Phil > > > > > >> > What are the release teams' thoughts on CPC team being more involved > in > >> the > >> > no/go decision process on release day? I recognise that release team > >> member > >> > Utkarsh Gupta is an engineer on the CPC team but his involvement in > the > >> > release team is not with cloud images specifically. > >> > >> I'd be happy to have the CPC team more involved on release day but I > >> think we (or some board?) need to define a process for go / no-go > >> decisions. > >> > > > > Yes, this thread was to get that conversation started. > > > > Phil > > > > > >> Cheers, > >> -- > >> Brian Murray > >> > > > > > > -- > > Phil Roche > > Staff Software Engineer > > Canonical Public Cloud > > -- > > Ubuntu-release mailing list > > Ubuntu-release@lists.ubuntu.com > > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-release > > [1] https://people.canonical.com/~ubuntu-security/priority.html > -- Phil Roche Staff Software Engineer Canonical Public Cloud
-- Ubuntu-release mailing list Ubuntu-release@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
