Bruce-cable ~ubuntu-security membership application

This is my membership request to the Ubuntu Security group. Below I detail my contributions to the Ubuntu community and other relevant information.

Verified Identity

As a Canonical employee (and hence member of ~canonical-security) my identity has been verified in person, through legal documents and a background check during my onboarding.

Ubuntu CVE Tracker

As part of publishing USNs I have made merge requests in the Ubuntu CVE Tracker including the following changes to the listed package CVE files:

• Status updates
  • QEMU
  • OpenJPEG
  • Git
• Assigning
  • Rack
  • Vim
  • OpenSSL
• Adding Notes
  • Libcdio
• Retiring
  • Unbound
  • EDK2

QA Regression Test

When patching a CVE, testing is required to ensure no regressions have been introduced.

I’ve written and merged QA regression scripts to both ensure CVEs have been patched correctly and that no regressions have been introduced by a security fix. Furthermore I’ve added testing notes for packages that are tested manually. This includes the following:

QA Tests

• GDB
• Kerberos
• Libcdio
• Rack

QA Notes

• EDK

Ubuntu Security Notices

I have published packages in Main and Universe to the ESM-Infra, ESM-Apps and Security PPAs. Some of the USNs I’ve published include the following:

• 7037-1 - OpenJPEG
• 7036-1 - Rack (community sponsorship)
• 7023-1 - Git
• 7018-1 - OpenSSL
• 6998-1 - Unbound
• 6993-1 - Vim
• 6977-1- QEMU
• 6965-1 - Vim
• 6837-2 - Rack
• 6947-1 - Kerberos
• 6920-1 - EDK
• 6901-1 - Stunnel
• 6880-1 - Tomcat
• 6855-1 - Libcdio
• 6842-1 - GDB
• 6827-1 - LibTIFF
• 6786-1 - Netatalk

Tooling

I’ve modified internal tooling to help other contributors including:

• Testbed failure detection when checking for regressions in autopackage tests
• Updates to the templating for changelog entries and tests for these changes

Ubuntu Code of Conduct

I have signed the Ubuntu Code of Conduct and follow it when engaging with the Ubuntu community.

+1 from me for @bruce-cable to join ~ubuntu-security - as per [spec] ~ubuntu-security membership he clearly meets all the respective criteria and has contributed significantly to the security of Ubuntu during his time in the ~ubuntu-security-apprentices team.

As presented in the application above, @bruce-cable has clearly met each requirement to join ~ubuntu-security and has done some excellent work with each contribution. +1 from me!

@bruce-cable has met all the criteria to join ~ubuntu-security and consistently produced outstanding work with each contribution. +1 from me!

+1 from me as @bruce-cable met all the criteria and has been producing quality work!

The materials provided show that @bruce-cable meets the necessary criteria for membership.

They have shown to be diligent in their contributions and a reliable team member, earning my vote (+1).

+1 from me as well to support @bruce-cable application to join ~ubuntu-security. The evidence he is providing demonstrates he is meeting the expected criteria. Thanks @bruce-cable for the excellent work!

Hey @bruce-cable this is a great body of work, and I am tentatively a +1 on your lp:~ubuntu-security membership, but could I ask you to describe some of the challenges or quirks that you hit while doing some of the updates?

SInce this process is new, for candidates in general, I think it’s helpful to describe some of the different things they seen (native packages or different source formats, debugging steps taken, etc.) so we can get a picture of what out-of-the-ordinary things you’ve seen. Thanks!

Thanks for the comment Steve!

Some of the unusual things I’ve come recently across include:

- Build tests failing for libarchive because access time was not enabled in the fstab for my schroots
- A package with suffix "~rc1" seemingly trumping the non-rc version in LP (Turned out an older version had been deleted)
- A package failing to build because the "single-debian-patch" option was set and my patches weren't applied in the correct order (I updated our tooling to indicate this is set for future builds)
- During my testing of KRB5 some tests were failing due to which ciphers had been enabled, this required debugging to find the cause.

Awesome, Bruce, thanks for following up! Those are definitely some interesting challenges.

Based on this, I am formally +1 on granting @bruce-cable membership in lp:~ubuntusecurity.

+1 from me as @bruce-cable has been showing he met all the requirements to join ~ubuntu-security!

+1 on granting @bruce-cable membership!

+1 to add @bruce-cable to ~ubuntu-security.
Thanks Bruce for the great work.

Thank you @bruce-cable for your application, and thank you to everyone who gave feedback on the application. Voting is now closed.

The following votes were cast by existing Ubuntu Security members:

• @alexmurray +1
• @cav +1
• @0xnishit +1
• @ebarretto +1
• @emitorino +1
• @sbeattie +1
• @leosilvab +1
• @techalchemy +1
• @rodrigo-zaiden +1

The application is approved with a balance of 9 affirmative votes making up 100% of the total votes cast.

Congratulations and welcome Bruce Cable! I have added you to the Ubuntu Security team, please exercise caution with your new rights.

Thanks,
Steve Beattie