Line 195: | Line 195: | ||
</pre> | </pre> | ||
− | Trigger advisory mail (I usually do this after every advisory to spot any issues, and to get the advisory mails sorted. If you forget this step, a cron job will send new/unpublished advisories every 10 minutes): | + | Trigger advisory mail (I usually do this after every advisory to spot any perl parser issues, and to get the advisory mails sorted. If you forget this step, a cron job will send new/unpublished advisories every 10 minutes): |
<pre> | <pre> | ||
[mga-advisories@valstar ~]$ update_mga-advisories | [mga-advisories@valstar ~]$ update_mga-advisories |
Revision as of 09:55, 23 March 2014
This is a short version of what currently is done when pushing updates.
I here use 3 terminal windows, one as myself on my local machine, one as root @ valstar and one as mga-advisories @ valstar.
Install advisories tool:
[root@laptop ~]# urpmi mga-advisories - installs mgaadv
Do initial config:
[tmb@laptop ~]$ mgaadv initqaconf - initializes config file (it opens text editor to show config) - initial download of advisories
Check that you have latest advisories:
[tmb@laptop ~]$ cd mageia-advisories/advisories [tmb@laptop advisories]$ svn up
Check at end of http://mageia.madb.org/tools/updates for advisories ready to be pushed.
Pushing updates (using samba update (bug 12999) as an example)
Assing advisory id (note: sometimes there can be split advisories in which case you would use mgaadv publish 12999.mga3 and mgaadv publish 12999.mga4):
[tmb@laptop advisories]$ mgaadv publish 12999 Assigned ID MGASA-2014-0138 to advisory 12999
Check if there is potential problems (for perl advisory parser):
[tmb@laptop advisories]$ file 12999.adv 12999.adv: ASCII text (this is ok)
Check the contents of the advisory looks ok:
[tmb@laptop advisories]$ cat 12999.adv type: security subject: Updated samba packages fix security vulnerability CVE: - CVE-2013-4496 src: 3: core: - samba-3.6.15-1.4.mga3 4: core: - samba-3.6.23-1.mga4 description: | In Samba before 3.6.23, the SAMR server neglects to ensure that attempted password changes will update the bad password count, and does not set the lockout flags. This would allow a user unlimited attempts against the password by simply calling ChangePasswordUser2 repeatedly. This is available without any other authentication (CVE-2013-4496) references: - https://bugs.mageia.org/show_bug.cgi?id=12999 - http://www.samba.org/samba/security/CVE-2013-4496 ID: MGASA-2014-0138
On valstar, use Screen to make avoid breakages during package move if you loose network connection)
[root@valstar ~]# screen
Push srpm(s) according to advisory (verify that the srpm matches the advisory, if not, check the bugreport if something has changed and update advisory accordingly or ask QA people for clarification (format is mga-send-update-nosync <distro> <media> <srpm>):
[root@valstar ~]# ./mga-send-update-nosync 3 core samba This SRPM (and matching binarys) will be moved from updates_testing to updates: samba-3.6.15-1.4.mga3.src.rpm Are you sure ? y moving binary and source rpms: i586: libnetapi0-3.6.15-1.4.mga3.i586.rpm libnetapi-devel-3.6.15-1.4.mga3.i586.rpm libsmbclient0-3.6.15-1.4.mga3.i586.rpm libsmbclient0-devel-3.6.15-1.4.mga3.i586.rpm libsmbclient0-static-devel-3.6.15-1.4.mga3.i586.rpm libsmbsharemodes0-3.6.15-1.4.mga3.i586.rpm libsmbsharemodes-devel-3.6.15-1.4.mga3.i586.rpm libwbclient0-3.6.15-1.4.mga3.i586.rpm libwbclient-devel-3.6.15-1.4.mga3.i586.rpm nss_wins-3.6.15-1.4.mga3.i586.rpm samba-client-3.6.15-1.4.mga3.i586.rpm samba-common-3.6.15-1.4.mga3.i586.rpm samba-doc-3.6.15-1.4.mga3.noarch.rpm samba-domainjoin-gui-3.6.15-1.4.mga3.i586.rpm samba-server-3.6.15-1.4.mga3.i586.rpm samba-swat-3.6.15-1.4.mga3.i586.rpm samba-virusfilter-clamav-3.6.15-1.4.mga3.i586.rpm samba-virusfilter-fsecure-3.6.15-1.4.mga3.i586.rpm samba-virusfilter-sophos-3.6.15-1.4.mga3.i586.rpm samba-winbind-3.6.15-1.4.mga3.i586.rpm samba-debuginfo-3.6.15-1.4.mga3.i586.rpm x86_64: lib64netapi0-3.6.15-1.4.mga3.x86_64.rpm lib64netapi-devel-3.6.15-1.4.mga3.x86_64.rpm lib64smbclient0-3.6.15-1.4.mga3.x86_64.rpm lib64smbclient0-devel-3.6.15-1.4.mga3.x86_64.rpm lib64smbclient0-static-devel-3.6.15-1.4.mga3.x86_64.rpm lib64smbsharemodes0-3.6.15-1.4.mga3.x86_64.rpm lib64smbsharemodes-devel-3.6.15-1.4.mga3.x86_64.rpm lib64wbclient0-3.6.15-1.4.mga3.x86_64.rpm lib64wbclient-devel-3.6.15-1.4.mga3.x86_64.rpm nss_wins-3.6.15-1.4.mga3.x86_64.rpm samba-client-3.6.15-1.4.mga3.x86_64.rpm samba-common-3.6.15-1.4.mga3.x86_64.rpm samba-doc-3.6.15-1.4.mga3.noarch.rpm samba-domainjoin-gui-3.6.15-1.4.mga3.x86_64.rpm samba-server-3.6.15-1.4.mga3.x86_64.rpm samba-swat-3.6.15-1.4.mga3.x86_64.rpm samba-virusfilter-clamav-3.6.15-1.4.mga3.x86_64.rpm samba-virusfilter-fsecure-3.6.15-1.4.mga3.x86_64.rpm samba-virusfilter-sophos-3.6.15-1.4.mga3.x86_64.rpm samba-winbind-3.6.15-1.4.mga3.x86_64.rpm samba-debuginfo-3.6.15-1.4.mga3.x86_64.rpm SRPMS: samba-3.6.15-1.4.mga3.src.rpm [root@valstar ~]# ./mga-send-update-nosync 4 core samba This SRPM (and matching binarys) will be moved from updates_testing to updates: samba-3.6.23-1.mga4.src.rpm Are you sure ? y moving binary and source rpms: i586: libnetapi0-3.6.23-1.mga4.i586.rpm libnetapi-devel-3.6.23-1.mga4.i586.rpm libsmbclient0-3.6.23-1.mga4.i586.rpm libsmbclient0-devel-3.6.23-1.mga4.i586.rpm libsmbclient0-static-devel-3.6.23-1.mga4.i586.rpm libsmbsharemodes0-3.6.23-1.mga4.i586.rpm libsmbsharemodes-devel-3.6.23-1.mga4.i586.rpm libwbclient0-3.6.23-1.mga4.i586.rpm libwbclient-devel-3.6.23-1.mga4.i586.rpm nss_wins-3.6.23-1.mga4.i586.rpm samba-client-3.6.23-1.mga4.i586.rpm samba-common-3.6.23-1.mga4.i586.rpm samba-doc-3.6.23-1.mga4.noarch.rpm samba-domainjoin-gui-3.6.23-1.mga4.i586.rpm samba-server-3.6.23-1.mga4.i586.rpm samba-swat-3.6.23-1.mga4.i586.rpm samba-virusfilter-clamav-3.6.23-1.mga4.i586.rpm samba-virusfilter-fsecure-3.6.23-1.mga4.i586.rpm samba-virusfilter-sophos-3.6.23-1.mga4.i586.rpm samba-winbind-3.6.23-1.mga4.i586.rpm samba-debuginfo-3.6.23-1.mga4.i586.rpm x86_64: lib64netapi0-3.6.23-1.mga4.x86_64.rpm lib64netapi-devel-3.6.23-1.mga4.x86_64.rpm lib64smbclient0-3.6.23-1.mga4.x86_64.rpm lib64smbclient0-devel-3.6.23-1.mga4.x86_64.rpm lib64smbclient0-static-devel-3.6.23-1.mga4.x86_64.rpm lib64smbsharemodes0-3.6.23-1.mga4.x86_64.rpm lib64smbsharemodes-devel-3.6.23-1.mga4.x86_64.rpm lib64wbclient0-3.6.23-1.mga4.x86_64.rpm lib64wbclient-devel-3.6.23-1.mga4.x86_64.rpm nss_wins-3.6.23-1.mga4.x86_64.rpm samba-client-3.6.23-1.mga4.x86_64.rpm samba-common-3.6.23-1.mga4.x86_64.rpm samba-doc-3.6.23-1.mga4.noarch.rpm samba-domainjoin-gui-3.6.23-1.mga4.x86_64.rpm samba-server-3.6.23-1.mga4.x86_64.rpm samba-swat-3.6.23-1.mga4.x86_64.rpm samba-virusfilter-clamav-3.6.23-1.mga4.x86_64.rpm samba-virusfilter-fsecure-3.6.23-1.mga4.x86_64.rpm samba-virusfilter-sophos-3.6.23-1.mga4.x86_64.rpm samba-winbind-3.6.23-1.mga4.x86_64.rpm samba-debuginfo-3.6.23-1.mga4.x86_64.rpm SRPMS: samba-3.6.23-1.mga4.src.rpm
Commit the advisory to svn (add advisory id and srpm(s) in message for easy svn browsing):
[tmb@laptop advisories]$ svn commit -m "MGASA-2014-0138: samba-3.6.15-1.4.mga3, samba-3.6.23-1.mga4" 12999.adv
Trigger advisory mail (I usually do this after every advisory to spot any perl parser issues, and to get the advisory mails sorted. If you forget this step, a cron job will send new/unpublished advisories every 10 minutes):
[mga-advisories@valstar ~]$ update_mga-advisories
Copy the advisory link from the advisory mail (in the bug 12999 case: http://advisories.mageia.org/MGASA-2014-0138.html) and paste it in the bugreport and close it as fixed.
When all advisories are pushed, update hdlists and sync from bootstrap to distrib tree for every media you pushed updates to (format is mga-send-update-sync <distro> <media>):
(it will list all files it touches / moves wich I wont list here)
[root@valstar ~]# ./mga-send-update-nosync 3 core ... long list of files... [root@valstar ~]# ./mga-send-update-nosync 4 core ... long list of files...
And you are done and can exit all terminal windows on valstar