Store sending out notices for ESM-only CVEs (for `base: core20`, too)

The store does nothing in the notification-sending process; we just generate a dump of stage-packages for other tools to analyze and email about.

Daniel, what about this part:

"Is there even a story for building snaps with ESM? Shouldn't this be opt-in per snap?"

Hi, that sounds like a feature request, and we are aware it'd be nice for the store to have this kind of control and take a more active role in notification generation, but that's still in the pre-planning phase :(

Is there any reason we shouldn't just enable ESM for core18 and core20 builds in Launchpad, as we did for core a while back (see https://ubuntu.com/blog/how-does-ubuntu-16-04-entering-extended-security-maintenance-esm-affect-snap-publishers)?

> Is there any reason we shouldn't just enable ESM for core18 and core20 builds in Launchpad

While I like that solution, that would mean that local builds (running in Multipass/LXD) could have different content than Launchpad builds

> While I like that solution, that would mean that local builds (running in Multipass/LXD) could have different content than Launchpad builds

But that is already the case for base: core snaps as Colin mentioned above where esm-infra+esm-apps for xenial is already enabled for Launchpad builds.

Personally I think the idea of getting ESM automatically when using launchpad (and build.snapcraft.io by extension) for building you snap is an awesome product offering (but the decision to actually turn that on is above my pay grade)

This was fixed in the review-tools package via https://code.launchpad.net/~alexmurray/review-tools/+git/review-tools/+merge/436677 which has now been merged and deployed with a configuration to ignore security updates (ie USNs) that reference esm-apps.

> Is there any reason we shouldn't just enable ESM for core18 and core20 builds in Launchpad, as we did for core a while back (see https://ubuntu.com/blog/how-does-ubuntu-16-04-entering-extended-security-maintenance-esm-affect-snap-publishers)?

I came across this issue with a snap using core18 as a base. If Launchpad builds aren't enabling ESM by default for core18 and higher, how can I tell Launchpad to use ESM for my snap ('snapcraft --ua-token <ua-token>' works locally)?

hey jdstrand! Sadly there is no way to get LP to build a snap with ESM enabled currently.

Hey Alex,

Has anything changed in the last few months? https://forum.snapcraft.io/t/call-for-testing-snapcraft-7-4-0/35264 talks about core18 EOL and refers to https://canonical.com/blog/ubuntu-18-04-eol-for-devices which advocates buying Pro. This is somewhat misleading since while I have Pro, I can't take full advantage of it in my snaps built in LP. Besides building locally, is there anything I can do to use my ESM with snap builds? If not, are there plans for this (and what is the timeline)?

Thanks!

Hey Jamie :)

I believe the plan is to allow publishers to enrol a Pro token with the Store which will then delegate that to LP for the builds, but as far as I know that is only a plan. At this stage, the best advice I can give is to migrate to core20 or core22 (which I realise is non-trivial and a bit of a cop-out) but is the only feasible way forward currently for publishers who want to keep the stage-packages of their snaps up-to-date. To keep things clearer for publishers, until it is possible to use the store to enable a snap to build with Ubuntu Pro, I have disabled the USN notification service from sending notifications for updates which come from esm-infra/bionic.

Sorry I don't have better news.