On Tue, Apr 11, 2023 at 05:00:03PM +0100, Phil Roche wrote: > * https://ubuntu.com/security/CVE-2022-2602 was announced and made public > on 18th October > * There was confusion around whether publishing a kernel to > -updates|-security for an unreleased release during freeze was allowed and > the decision was made not to and to wait until the archive was open again > for uploads
Ok, let's set the record straight on this: there is no policy that prohibits us from releasing packages to -security before the release pocket is frozen. There may be some tooling issues that make it awkward on the kernel team's side (that's my recollection), but there's no policy against it. And as the cloud images are frequently updated, and security updates are automatically installed, I don't think it's a problem if the cloud images released on release day include packages from -security or -updates that are not included in the installer images, mastered earlier, including packages only from the release pocket. So hopefully that makes things clearer. > So to avoid this specific issue happening again, we could state that in > circumstances like these kernels that are addressing a CVE can be published > before release regardless of freeze state. That would mean that > for CVE-2022-2602 all kernels would have been published and server, desktop > and cloud could release at the same time. > > You mention a kernel CVE; I don't remember the details, but it evidently > > wasn't considered a reason to hold back and respin all of the installer > > images. Why was it necessary to hold the cloud images back? For cloud > > images in particular, the next image is not far away. > For cloud, CPC's stance, and one which the cloud partners will hold us to, > is that we do not knowingly publish any release, as opposed to a daily, > cloud image with a high or critical priority CVE present. Ok. On Tue, Apr 11, 2023 at 05:20:30PM +0100, Phil Roche wrote: > Perhaps we can amend my proposal from > https://lists.ubuntu.com/archives/ubuntu-release/2023-April/005607.html > server, desktop and cloud will release in lockstep on release day *. > > * exceptions to this are where a high or critical priority CVE becomes > > public before or on release day. If this were to occur then the server, > > desktop and cloud images might release independently while waiting for > > updated builds to address the CVE. > to > server, desktop and cloud will release in lockstep on release day *. > * Exceptions to this are where a high or critical priority CVE becomes > public before or on release day. For critical priority CVEs then release > of server, desktop and cloud will be blocked until new images can be built > addressing the CVE. For high priority CVEs, the decision to block release > will be made on a per product (server, desktop and cloud) basis and will > depend on the nature of the CVE which might result in images not being > released on the same day. I'm comfortable with that. I'd like to see opinions of other Release Team members as well. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ [email protected] [email protected]
signature.asc
Description: PGP signature
-- Ubuntu-release mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
