SRU: Bootable buildd images boot vulnerable kernels

Hello Cody, or anyone else affected,

Accepted livecd-rootfs into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/livecd-rootfs/2.664.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I've verified that this is fixed for Focal by:

* Building the livecd-rootfs 2.664.5 source package in a private ppa
* Building the focal buildd image with the cpc-buildd livefs, with the above private-ppa as an extra archive
* Booting the resulting disk-linux-virtual.img in Multipass with libvirt as the local driver, and verifying that a) the running kernel was updated (5.4.0-42.46-generic in this case), and b) -updates and -security were enabled in the apt sources.list

Thanks!

This bug was fixed in the package livecd-rootfs - 2.664.5

---------------
livecd-rootfs (2.664.5) focal; urgency=medium

  [ Robert C Jennings ]
  * Handle seeded lxd snap with channel name for ubuntu-cpc:minimized
    (LP: #1889470)

  [ Cody Shepherd ]
  * Add dist-upgrade to bootable-buildd hook to ensure the built image
    doesn't contain vulnerable kernels or other packages. LP: #1891061.
  * Don't explicitly install grub-efi-amd64-signed, it's a dependency of
    shim-signed.

 -- Steve Langasek <email address hidden> Tue, 04 Aug 2020 12:39:27 -0700

The verification of the Stable Release Update for livecd-rootfs has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package livecd-rootfs - 2.525.47

---------------
livecd-rootfs (2.525.47) bionic; urgency=medium

  * Apparently the lxd appliance needs to use a custom track (4.0) and since
    model assertions do not accept track names in required-snaps, we need to do
    this by hand during build. (LP: #1891505)

 -- Łukasz 'sil2100' Zemczak <email address hidden> Wed, 12 Aug 2020 15:58:19 +0200