On Tue, 2023-04-11 at 16:34:21 -0700, Steve Langasek wrote: > On Tue, Apr 11, 2023 at 05:00:03PM +0100, Phil Roche wrote: > >> * https://ubuntu.com/security/CVE-2022-2602 was announced and made public >> on 18th October >> * There was confusion around whether publishing a kernel to >> -updates|-security for an unreleased release during freeze was allowed and >> the decision was made not to and to wait until the archive was open again >> for uploads > > Ok, let's set the record straight on this: there is no policy that prohibits > us from releasing packages to -security before the release pocket is frozen. > > There may be some tooling issues that make it awkward on the kernel team's > side (that's my recollection), but there's no policy against it. > > And as the cloud images are frequently updated, and security updates are > automatically installed, I don't think it's a problem if the cloud images > released on release day include packages from -security or -updates that are > not included in the installer images, mastered earlier, including packages > only from the release pocket. > > So hopefully that makes things clearer. > >> So to avoid this specific issue happening again, we could state that in >> circumstances like these kernels that are addressing a CVE can be published >> before release regardless of freeze state. That would mean that >> for CVE-2022-2602 all kernels would have been published and server, desktop >> and cloud could release at the same time. > >> > You mention a kernel CVE; I don't remember the details, but it evidently >> > wasn't considered a reason to hold back and respin all of the installer >> > images. Why was it necessary to hold the cloud images back? For cloud >> > images in particular, the next image is not far away. > >> For cloud, CPC's stance, and one which the cloud partners will hold us to, >> is that we do not knowingly publish any release, as opposed to a daily, >> cloud image with a high or critical priority CVE present. > > Ok. > > On Tue, Apr 11, 2023 at 05:20:30PM +0100, Phil Roche wrote: >> Perhaps we can amend my proposal from >> https://lists.ubuntu.com/archives/ubuntu-release/2023-April/005607.html > >> server, desktop and cloud will release in lockstep on release day *. >> > * exceptions to this are where a high or critical priority CVE becomes >> > public before or on release day. If this were to occur then the server, >> > desktop and cloud images might release independently while waiting for >> > updated builds to address the CVE. > >> to > >> server, desktop and cloud will release in lockstep on release day *. >> * Exceptions to this are where a high or critical priority CVE becomes >> public before or on release day. For critical priority CVEs then release >> of server, desktop and cloud will be blocked until new images can be built >> addressing the CVE. For high priority CVEs, the decision to block release >> will be made on a per product (server, desktop and cloud) basis and will >> depend on the nature of the CVE which might result in images not being >> released on the same day. > > I'm comfortable with that. I'd like to see opinions of other Release Team > members as well. >
I am also fine with that too. > -- > Steve Langasek Give me a lever long enough and a Free OS > Debian Developer to set it on, and I can move the world. > Ubuntu Developer https://www.debian.org/ > slanga...@ubuntu.com vor...@debian.org -- Ubuntu-release mailing list Ubuntu-release@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
