
=== Pendulum_ is now known as Pendulum
buzzarddoes anyone know if there are any sessions scheduled for User Days on June 5?02:46
mhall119there will be multiple sessions02:48
mhall119but there's no schedule for them yet02:49
buzzardmhall119: thanks, this will be my first one and I'm anxious to see the list of topics.02:50
mhall119it'll probably be next week before the schedule comes together02:58
buzzardi've read several of the transcripts from the last one; they were very helpful03:07
Pendulumbuzzard: glad you found them useful!03:11
qwebirc56426where do I learn to package debs07:08
yann2well that's convenient, I was just going to need to learn about packaging :)13:41
eagles0513875hey guys :) i know im early for the session14:16
yann2btw does anyone mind if I log the session?14:26
eagles0513875yann2: i think all ubuntu channels are logged14:26
eagles0513875im not an ubuntu staffer so i dunno14:26
eagles0513875but i dont think they would mind14:26
yann2ok :) it s just the freenode rules that states "thou should warn if thou log" :)14:27
ubot2For Ubuntu Classroom logs, please visit http://irclogs.ubuntu.com14:28
ddecatoryann2: a lot of people unofficially log channels14:28
MTecknologyjust don't make them public - it's assumed everyone logs for themselves14:28
yann2which is why I was asking :)14:29
yann2but not needed apparently14:29
=== jas_ is now known as zerointeger
eagles0513875hey guys what time is 1800 UTC16:33
eagles0513875for GMT16:33
User376i am trying to use Quassel IRC client to connect to this channel but am not able to... any tips? I have done the regular, created a nick, registered it etc.16:34
zerointegeris this working?16:36
zerointegeris this working16:51
nigelbzerointeger: um, if you mean if we can see your post "is this working" twice, yes it is.16:54
zerointegera coworker told me people are helping with package creation in this channel today?17:01
Thomas_Zahreddinas far as i understand the session starts in 54 min.17:07
jetiennei have been told in 1h54m17:09
jetienne[17:08] <dholbach> mdeslaur will give a Packaging Training session about "Preparing Security Updates" in #ubuntu-classroom at 18:00 UTC17:09
zerointegerso does that mean I can get assistance on creating a .dep package for a pam module I patched?17:23
jetiennezerointeger: no idea if you can get it here. #ubuntu-motu or irc.debian.org/#debian-mentors may help tho17:32
mdeslaurSo...is it time?19:01
ayani think so!19:02
mdeslaurGreat! I'll start then19:02
mdeslaurHi, I'm Marc from the Ubuntu Security Team. Today I will be talking about producing security updates for stable Ubuntu releases.19:02
mdeslaurThis won't be a hands on session, rather, it will be an informative talk about the environments and tools the security team uses, and how those tools help us to produce updates.19:03
mdeslaurThis information can be used as a reference to set up your own environment to produce updates for all the stable releases.19:03
mdeslaurFirst, an overview of our setup, and after I will explain how you can set it up yourselves.19:04
mdeslaurSince we currently produce security updates for Dapper, Hardy, Jaunty, Karmic, Lucid and Maverick, we need to be able to build and test in all those environments.19:04
mdeslaurThe security team uses KVM virtual machines for testing, and schroots with sbuild for building and testing. Our schroots used to use LVM snapshots, but now with Lucid we use aufs schroots, which are easier to set up.19:05
mdeslaurBecause we test all our security updates on amd64 and i386 before publishing, we use amd64-capable hardware and the amd64 version of Ubuntu. That way, we can use both amd64 and i386 virtual machines and schroots. Of course, this isn't a requirement to build security updates, but helps in making sure we are not introducing platform-specific regressions.19:05
mdeslaurReleasing security updates is very different from uploading a package to a dev release, where system breakage and regressions are part of the development process. If you upload a package to the dev release and something breaks, you can simply upload a package that fixes the breakage.19:06
mdeslaurUsers of the dev release are mostly technical people who readily accept breakage as a compromise for running the latest and greatest.19:06
mdeslaurOnce we press the figurative big red button to release a security update to a stable release, ~12 million Ubuntu users will be installing it in the next few hours. This is a user base that has zero tolerance for updates breaking their system, and any regressions are likely to reflect badly on Ubuntu's reputation.19:07
mdeslaurRegression testing is _the_ most important part of producing security updates and is what takes up most of the time.19:07
mdeslaurNow, back to setting up the environment:19:07
mdeslaurMy colleague jdstrand wrote up an excellent wiki page on how to set up a virtual machine environment like the security team uses. It is available here: https://wiki.ubuntu.com/SecurityTeam/TestingEnvironment19:08
mdeslaurBasically, we have a tool called vm-new that is a wrapper script around soren's excellent vmbuilder tool. With this, we create a whole set of "clean" virtual machines, one for i386 and one for amd64, for each Ubuntu release.19:09
mdeslaurOnce we have the "clean" virtual machines set up, we copy them over to a temporary set of VMs that we can install stuff in, run our testing scripts, and ultimately destroy how we see fit. Once we've tested our updates, we simply erase the temporary set of VMs and use a script to copy the "clean" ones over again.19:09
mdeslaurDoing this allows us to always start with a "known good" image, and allows us to reproduce our tests at will.19:10
mdeslaurPersonally, I always get a transparent mouse working in my "clean" virtual machines. I do this by installing the xserver-xorg-input-vmmouse package.19:10
mdeslaurWith lucid, this works out of the box, but in previous releases you needed to configure an adequate xorg.conf file. For dapper, there was no xserver-xorg-input-vmmouse package in the archive, but you can find one I made for it in my PPA here: https://launchpad.net/~mdeslaur/+archive/ppa?field.series_filter=dapper19:11
mdeslaurTo set up the schroots, my colleague jdstrand again has wrote an excellent wiki page here: https://wiki.ubuntu.com/SecurityTeam/BuildEnvironment19:11
mdeslaurOnce the schroots are set up, we can simply launch a command like "schroot -c jaunty-amd64 -u root" to enter a jaunty schroot and test utilities and proof of concepts, run some testing scripts, or try and reproduce an issue someone has reported.19:12
mdeslaurAre there any questions so far?19:12
mdeslaurok, moving on...19:13
mdeslaurTo ease the process we use when building security updates, and to mimic the build process of the official build servers, we wrote a tool called "umt". This is the main tool we use daily to produce security updates, and it requires having schroots set up, and a few other dependencies.19:13
mdeslaurThere are instructions on the following wiki page that detail some of the steps necessary to set it up: https://wiki.ubuntu.com/SecurityTeam/BuildEnvironment19:14
mdeslaurThe umt tool has the following commands: search, download, changelog, source, binary, build, build-orig, sign, check, compare-log, compare-bin, repo, upload. These commands illustrate basically the whole process we use to produce an update.19:14
mdeslaursearch: This command will search the repos and tell us what the best source package is for each release. This will also warn us when a newer version is currently in -proposed.19:15
mdeslaurSecurity updates are always built using the latest -updates release, and not the -proposed pocket, but we need to know about what is in -proposed so we can make sure our package version will trump it and make sure we add a note to the -proposed package's bug report.19:15
mdeslaurdownload: this command will download a particular package for each release. For example, if I type "umt download gedit", it will create a directory for each release, download the corresponding source package for that release and unpack it. In one simple command, I have source trees for all releases we need to patch.19:16
mdeslaurOnce I've searched for a package and downloaded it, I'm ready to patch it.19:16
mdeslaurWhat's special about producing security updates, is we get to work on every single package in Ubuntu. We need to learn _every_ patch system in the archive.19:17
mdeslaurLuckily, my colleague kees and a few others wrote a great tool called "what-patch", available in the ubuntu-dev-tools package that simplifies trying to figure out what patch system a particular package uses. I simply need to enter the source tree and launch the "what-patch" command to see what patch system is being used.19:17
mdeslaurFrom there, I use dpatch-edit-patch, cdbs-edit-patch, quilt-edit-patch or other similar tools to quickly apply and adjust security patches to the package. I tag all patches as per DEP3: http://dep.debian.net/deps/dep3/19:18
mdeslaurTagging patches really helps to figure out where a patch came from in case of a regression. It also helps a lot when reviewing other people's contributions.19:19
mdeslaurThe approach used when producing security updates for stable releases is to always backport the minimum fix necessary to fix the issue instead of trying to update the packages to a more recent version.19:19
mdeslaurWhy do we always backport patches? Newer versions of software may need updated libraries and dependencies, might break API/ABI, may introduce configuration file changes, need a lot more testing than a simple fix to the existing version, and, most importantly, newer versions may introduce new bugs!19:20
mdeslaurAre there any questions so far?19:20
mdeslaurok, moving along...19:21
mdeslaurOnce my patches are added, I go back to the UMT tool:19:21
mdeslaurchangelog: this command is run from inside the source tree, and spawns the dch command with an appropriate security update version number and pocket already filled out.19:21
mdeslaurbuild: this command will call the source and binary commands in order. The source command will build a source package in a directory called....source! A .debdiff file will also be in the source directory for analysis.19:22
mdeslaurThe binary command will use sbuild in the schroots to build the package with dependancy calculation that approximates what the official builders do. The resulting binary packages will be in the directory called "binary". There is logic in the umt script that automatically determines what release we are building for based on the directory and the changes file and uses the appropriate schroot.19:22
mdeslaurbuild-orig: This command will download the previous release of the package, will build it and discard it in order to get the build log. When building security updates for stable releases, and backporting patches, it is very important to compare the build log of the original package with the build log of the patches package.19:23
mdeslaurThis helps to spot compiler warnings with backports, helps spot missing files in the updates package, and also helps spot regressions when the package runs it's test suite. Doing this has saved our skin many times in the past.19:24
mdeslaurcompare-log: This command will compare the build log of the previous release with the build log of the current (patched) package. UMT will try and standardize and normalize the build logs before doing a diff on them so we can easily see only what's relevant.19:24
mdeslaursign: This command will sign the source package that is in the source directory.19:25
mdeslaurcheck: This command will perform a great big series of sanity checks on the package before we upload it into the archive. Basically, every time we've screwed up in the past, we've added logic to this check so it wouldn't happen again. :)19:25
mdeslaurIt includes checks for: making sure the changelog got updates, making sure the pocket is -security, making sure the version number got incremented and is more recent than what's currently in the archive, making sure the patches are all tagged properly, making sure the patch system was used, making sure we don't have quilt directories in our patch, etc.19:25
mdeslaurcompare-bin: This command will download the previous version of the binaries, perform an analysis on them and perform the same analysis on the binaries that we've just compiled. It checks for: missing files, changed library symbols, etc.19:26
mdeslaurrepo: This command will copy the binaries that we've just produced into a local repo, so they are accessible to our schroots and our virtual machines for testing purposes. This ensures our updates work properly with apt-get and update manager.19:27
mdeslaurAt this point in time, we would perform testing procedures on our new packages, which I'll get to in a few minutes.19:27
mdeslaurupload: This command will upload our packages to the Ubuntu security private PPA for building, after performing a few last-minute sanity checks to make sure nobody uploaded a more recent version while we were working on our updates. (This has happened before!)19:27
mdeslaurOnce the package has been uploaded to the security PPA, and has been built, _we perform testing a second time on the actual binaries_. This makes sure the actual bits that have been produced by the build system are regression-free. We have had issues in the past where minute differences between local builds and official builds have introduced regressions.19:28
mdeslaurAre there any questions so far?19:28
mdeslaurThomas_Zahreddin: shoot19:28
Thomas_Zahreddindid not read all since i came a little late:19:29
Thomas_Zahreddinhow do you automate your tests - what tools you use?19:29
mdeslaurThomas_Zahreddin: I'm getting to that, wait a few minutes and see if I answer your question19:29
mdeslaurok, moving along...19:30
mdeslaurSo, how do we test packages for regressions?19:30
mdeslaurThe security team maintains a large collection of testing scripts we have wrote in the following repository: https://launchpad.net/qa-regression-testing19:30
mdeslaurThe repository contains testing scripts, a lot of information on how to use test suites of particular packages, how to reproduce certain environments, and any other information we think is pertinent.19:31
Thomas_Zahreddinmdeslaur: thanks19:31
mdeslaurBasically, every time we produce a security update for a package, we write a test script that will test the codepath that we've touched. Since we need to test for multiple releases * multiple archs, and test our local build and the official build, writing a test script is the only way to ensure that everything gets tested properly.19:31
mdeslaurThomas_Zahreddin: welcome :)19:31
mdeslaurWhen possible, we will use the upstream's test suite. Some are already built into the package, in which case we try to backport not only the security fixes, but the upstream tests that go with it.19:31
mdeslaurSome packages contain a test suite, but will still build successfully when the test suite fails. In this case, comparing the build logs before and after the update during our process will spot any failing items.19:32
mdeslaurEven when a package has an extensive test suite, we still write testing scripts for sanity testing basic functionnality once the package gets installed.19:32
mdeslaurHere is an example of test script we use with apache: http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/annotate/head:/scripts/test-apache2.py19:33
mdeslaurSome of the test scripts are quite simple, but some are getting complex...it's a matter of what we want to test for each particular security update. Of course, the more we do, the more tests get added.19:33
mdeslaurOther teams within Ubuntu has started using and contributing to our test scripts also, which is great.19:33
mdeslaurI am looking forward to community participation in writing test script for non-Canonical supported packages (essentially what used to be called Universe). sbeattie has done a training session on how to write scripts for the qa-regression-testing suite, which is archived somewhere and is a great read for getting involved.19:34
mdeslaurSo, basically, patching the package itself is only a small part of the whole security update process. The important and time-consuming part when producing updates for stable releases is testing, testing, and more testing.19:35
mdeslaurI hope this overview of the tools and environment the security team uses was useful and can be used as a guide to get your own environment set up. If you have any questions at all about Ubuntu security, or what I've discussed today, please don't hesitate to come over to #ubuntu-hardened and ask away!19:35
mdeslaurNow it's time for the question period!19:36
mdeslaurany questions?19:36
mdeslaurnot all at once, please! :)19:36
mdeslaurok, thanks everyone!19:37
Thomas_Zahreddinmdeslaur: thank you19:38
Thomas_Zahreddinmdeslaur: could you please give a little insight into your build scripts?19:38
Thomas_Zahreddini think most of the magic happens there (and also bzr is very important i suppose)19:39
mdeslaurThomas_Zahreddin: sure. Do you mean the security team's UMT script?19:39
mdeslaurThomas_Zahreddin: it's simply a wrapper around everything we do when making security updates19:40
mdeslaurThomas_Zahreddin: we kept doing the same things over and over, like downloading source packages for each release, etc.19:40
mdeslaurThomas_Zahreddin: so we scripted as much as possible to simplify the specific task of producing security updates19:41
Thomas_Zahreddinmdeslaur: sure, I'm thinking of the usage of hudson (apache) for this task19:41
mdeslaurUnfortunately, I'm unaware of hudson19:42
Thomas_Zahreddin apt-get update; apt-get install hudson 19:43
mdeslaurhmm...looks interesting for a "daily ppa" type of situation19:44
mdeslaurThomas_Zahreddin: I'm not sure how that would work in a security update situation though19:45
Thomas_Zahreddinmdeslaur: i suppose it is not as fast (and flexible) like 'small' scripts (umt)19:46
Thomas_Zahreddinmdeslaur: but it offers a great user interface and very clear oversight - like which tests are run, failed etc.19:46
mdeslaurThomas_Zahreddin: I'm afraid I can't comment on how hudson would work in a security-update type scenario19:47
mdeslaurThomas_Zahreddin: as I don't know enough about it19:47
Thomas_Zahreddini see, of course.19:47
Thomas_Zahreddinmdeslaur: so you did no evaluation for your build tool chain (i suppose) ?19:48
mdeslaurThomas_Zahreddin: we try and mimick the ubuntu builders as much as possible, so no, we have not looked at hudson19:49
Thomas_Zahreddinmdeslaur: thank you for your answers19:49
mdeslaurThomas_Zahreddin: you're welcome19:50
MTecknologymdeslaur: just read up - thanks for the details of everything - I'd definitely like to find some time to help out with things20:11
mdeslaurMTecknology: cool, thanks!20:12
ari-tczewmdeslaur: are you (security team) testing package themselve? or you are base on uploader comments?20:36
ari-tczewpackage patch *20:36
mdeslaurari-tczew: for canonical-supported packages (main), we test ourselves, for non-canonical supported packages (universe), we ask the uploader to describe the testing he has performed, and we take a look at the patch.20:37
=== ayan is now known as ayan-afk

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!