Launchpad itself

ubuntu-security cannot target to series

Bug #888568 reported by Jamie Strandboge
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

ubuntu-security routinely uses the 'target to series' functionality in Launchpad to track CVEs. Part of this work is for our kernel security engineer to work with the kernel team on the kernel cadence, which requires as part of our process to manipulate 'target to release' tasks a lot. Unfortunately, to be able to 'target to release', currently one must be a core-dev, part of ubuntu-release or part of ubuntu-drivers (there may be others). I would like the 'target to series' permissions to also include 'ubuntu-security'.

As it is a requirement for people in ubuntu-security to manipulate tasks, but it is not a requirement for specialist security engineers (like our browser security engineer or kernel security engineer) to be core-dev or in one of these groups, the current permissions do not fit the needs for my team, and this blocks their work.

It was mentioned that ubuntu-security could be added to ubuntu-release, but that does not seem the proper longterm fix, as ubuntu-release starts to become bloated like ubuntu-drivers used to be. Depending on the time frame for this fix, we may have to use ubuntu-release as a workaround since this is blocking our work. (This was not a big problem before but changes in our team have highlighted the issue (ie, our new kernel security engineer is not in any of these groups)).

See original description
Curtis Hovey (sinzui)
Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
tags: added: distributions milestones projects series
Revision history for this message
Colin Watson (cjwatson) wrote :

It might be sufficient for your kernel security engineer to have per-package upload rights to the kernel. It would be useful if a Launchpad developer could confirm that that was enough.

I feel that we ought to be able to assume that security engineers at least have upload rights to the things they're working on (and fix that if they don't).

Revision history for this message
Colin Watson (cjwatson) wrote :

To clarify, if that's enough, that would involve your engineer applying to the DMB to be added to ~ubuntu-kernel-uploaders.

Revision history for this message
Curtis Hovey (sinzui) wrote :

Hi Jamie.

I think this issue relates to to the case where permission in a project is delegated.
    Maintainer -> driver -> bug supervisor
                                       | -> security contact

There are several cases in Lp's code were permissions are just f***ed. Lp Admins cannot set a bug importance for example.
The two groups that absolutely need permission to target to a series or milestone are the maintainer and drivers. Drivers cannot do that, but I expect this to be fixed in a week. We may fix this issue while correcting the current permissions (that contradict what is document).

I imagine if bug supervisors can target to milestones and series, the security contact should a well. The drivers may need to approve it.

summary: - ubuntu-security should be able to target to release
+ security contact cannot target to release
tags: added: bugs
tags: added: cves
Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: security contact cannot target to release

Curtis, thanks for the quick response. FWIW, it does make sense to me that a security contact should be able to target to a release in order to express clearly which products are affected, and that this would be generally useful to projects other than Ubuntu.

Revision history for this message
Micah Gersten (micahg) wrote :

Curtis, right now ubuntu-security is a member of ubuntu-bugcontrol, so we worked around the security contact needs to nominate issue. What we need is the ability for a security contact to target directly, not just nominate.

Revision history for this message
Curtis Hovey (sinzui) wrote :

Understood. I think the rule is doable. While it is not a part of the disclosure project, several people will be adjusting the permission rules over the next 2 months. I am pretty certain we can fix this issue with the other odd bug and series permissions.

Revision history for this message
Curtis Hovey (sinzui) wrote : Re: ubuntu-security cannot target to release

The security contact role was removed from Launchpad. Sharing and bug subscriptions provide more reliable access and notifications to Private Security bugs.

summary: - security contact cannot target to release
+ ubuntu-security cannot target to release
Curtis Hovey (sinzui)
description: updated
Curtis Hovey (sinzui)
summary: - ubuntu-security cannot target to release
+ ubuntu-security cannot target to series
tags: added: bug-nomination
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.