Old USNs reported on riscv64 packages

What core version does this snap target? Ubuntu 18.04 LTS does not/did not support riscv64, so I'm not sure why that's relevant here.

(But also, as of today, USN 4640-1 references the latest version of pulseaudio in bionic 1:11.1-1ubuntu7.11 https://launchpad.net/ubuntu/bionic/+source/pulseaudio, as does USN 4340-1 for cups 2.2.7-1ubuntu2.8 https://launchpad.net/ubuntu/bionic/+source/cups .)

Hi Steve, are you asking about mir-test-tools? It's `base: core20`, so that's what should be relevant?

As for what it targets, in theory everything where snaps run.

Hi Michał,

The service basically compares each of the packages/versions listed in the primed-stage-packages section of the snap manifest.yaml against the USN database and reports if it considers any of those could be vulnerable (i.e: a package is listed in a USN with a greater version than the version in the snap). It uses the snap base to define the proper version to compare (in this case, it checks for focal since the base is core20).

I picked one revision of mir-test-tools to check and I see #8017 has

- libpulse0=1:13.99.1-1ubuntu3

USN-4640-1 fixes a CVE for pulseaudio/focal in https://launchpad.net/ubuntu/+source/pulseaudio/1:13.99.2-1ubuntu2.1. Since 1:13.99.2-1ubuntu2.1 is greater than 1:13.99.1-1ubuntu3, then a notification is sent. Do you see any issue with this report?

Besides that I still see a problem with review tools since the service does not make a per arch comparison and both https://launchpad.net/ubuntu/+source/cups/2.3.1-9ubuntu1.1 and https://launchpad.net/ubuntu/+source/pulseaudio/1:13.99.1-1ubuntu3.2 failed to build for riscv64 so that fixed version is not really available. This is not a common situation though, since we do generate updates for all supported architectures as part of the same USN.

Thanks Emilia, there were no riscv64 packages listed on packages.ubuntu.com and I didn't think to look on Launchpad. That at least confirms that riscv64 is still affected by these.

So IIUC the problem seems two-fold, then?

1. the packages in question failed to build for riscv64
2. review-tools needs to be arch-aware, so it doesn't report outdated packages where there are none newer available?

Should we add the respective packages to this bug or track 1. above elsewhere?

Could you please try and trigger a rebuild of these for riscv64? I'm told only the security team can?

Opened cups bug to do no-change rebuild https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1973733 and uploaded into SRU unapproved queue.

Opened pulseaudio bug to fix FTBFS on riscv64 at https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1973734 and preparing a fix

It seems like review-tools is right, and we are missing builds for above mentioned CVEs on riscv64, which should be resolved as SRUs at this point in the Ubuntu project.

Thanks Dimitri, this is invalid then.