Kkernick ~ubuntu-security membership application

kkernick · April 30, 2026, 8:48pm

Hello! This is my application to join ~ubuntu-security.

Team Membership

Ubuntu Security Apprentices: Member since 2026-01-26
Canonical Security Team: Member since 2026-01-26
Canonical: Member since 2026-01-26

I’ve also been a member of a private security team since 2026-02-18

Verified Identity

I am an employee of Canonical and a member of ~canonical-security, my identity has been verified through a background check during the onboarding process and will be verified in person at the upcoming Engineering Sprint.

Security Updates

I have worked on 14 packages (Including 227 vendored packages), to fix over 40 CVEs. No regressions have been reported from these updates.

USN-7954-2: 3 CVEs affecting libtasn1-6.
USN-8057-1: 5 CVEs affecting gimp.
USN-8075-1: 5 CVEs affecting gimp.
USN-8082-1: 2 CVEs affecting gimp.
USN-8089-1: 6 CVEs affecting golang-golang-x-net and 227 vendored packages .
USN-8109-1: 1 CVE affecting debian-goodies.
USN-8110-1: 1 CVE affecting libnet-cidr-perl.
USN-8134-1: 2 CVEs affecting pyasn1.
USN-8089-2: 7 CVEs affecting golang-golang-x-net-dev.
USN-8089-3: 7 CVEs adsys (3), lxd (7), and juju-core (7).
USN-8158-1: 1 CVE affecting dogtag-pki.
USN-8171-1: 3 CVEs affecting vim.
USN-8182-1: 13 CVEs affecting ruby-rack.
USN-8199-1: 2 CVEs affecting glance.
USN-8213-1: 2 CVEs affecting vim.

Release / Package	Trusty	Xenial	Bionic	Focal	Noble	Jammy	Questing
`libtasn1-6` (Main)	ESM	ESM	ESM	ESM
`gimp` (Universe)	ESM	ESM	ESM	ESM	ESM	ESM
`golang-golang-x-net` (Universe)					ESM	ESM
`debian-goodies` (Main)	ESM	ESM	ESM		Archive
`libnet-cidr-perl` (Main)	ESM	ESM	ESM	ESM	Archive	Archive
`pyasn1` (Main)	ESM	ESM	ESM	ESM
`golang-golang-x-net-dev` (Both)		ESM	ESM	ESM
`lxd` (Main)		ESM	ESM
`juju-core` (Main)		ESM
`adsys` (Main)				ESM
`dogtag-pki` (Universe)			ESM	ESM
`vim` (Main)	ESM	ESM	ESM	ESM	Archive	Archive	Archive
`ruby-rack` (Both)	ESM	ESM	ESM	ESM	Archive	Archive	Archive
`glance` (Main)	ESM	ESM	ESM	ESM

Troubleshooting

`golang-golang-x-net`

While working on the rebuilds for vendored versions of x-net, I had to troubleshoot numerous packages, including:

prometheus’s testing certificates had expired and was causing a build failure.
mirrorbits had lost a transitive dependency on pkg-config, which was causing a build failure.
adsys was unable to compile on my local machine, and I had to create a ~test version to ensure the program could be successfully complied on LaunchPad.

`pyasn1`

On Bionic’s version of the Python Interpreter, a fix for preventing a stack overflow was not behaving correctly, and raising an exception much earlier than expected–this issue was compounded by the fact that Focal, which was using the same version of pyasn1, was unaffected. Reducing the upper bound enforced by the patch resolved the issue, and I was able to bisect the value to reduce it from 100 to 90 (Having determined the absolute maximum at 94).

`glance`

Backporting glance for Bionic down required translating 15 patches from Python 3 to Python 2.

With 7 pre-patches, I needed to comb through the source repository to see which patches still applied (As one of the vulnerability vectors, disk image conversion, was not present in earlier version), and determine whether test failures were due to missing functionality or a syntax issue from Python 3.
glance’s testing suite also required internet access, which was causing LaunchPad builds to fail. I had to upload ~test versions to narrow down which test cases were affected, then mock the connection so they would build successfully.

Continued, on-going security updates

As a member of the Security Engineering team at Canonical, I will continue to work on security updates on a regular basis.

Understanding of Required Tools and Systems

I’ve both used and contributed heavily to various security tools and systems, including:

UCT

CVE Tracking (Highlighted from over 30 commits):
- glance: Triage, Release, Update
- gimp: Assign, Triage, Release
- ruby-rack: Triage Release
Updating package_info: debian-goodies and libnet-cidr-perl

QRT

libtasn1-6: Updating existing test to support older releases, and added another test case.
gimp: Add 6 new test cases.
debian-goodies: Add 2 new test cases using available proof-of-concepts.
vim: Updated existing test to support older releases.
ruby-rack: Updated existing test cases to support a new major version of the package, and older releases.
glance: Updated existing tests to prevent errors on older releases.
bubblewrap: Added 2 new test cases.

Security Tools

Added support for running UMT as a symlink, which permitted symlinking the binary to an existing member of a user’s PATH, rather than having to add Security Tools to PATH directly. This feature regressed after an update and I provided a patch to re-support it in commit a9ad16d.
Added a --security-proposed argument to unembargo to publish to the security proposed pocket without having to manually define a PPA.

I have also made contributions toward several internal tooling and documentation repositories.

Responsive and Respectful Communication

I have signed the code of conduct. Additionally, I regularly monitor the Launchpad bugs for packages I have patched as well as keep track of the relevant mailing list announcements to check for possible regressions.

Understanding of Responsibilities

I am following credentials best practices, my disk is fully encrypted, and I have 2FA enabled for all accounts.

hlibk · May 1, 2026, 4:06pm

+1 from me for @kkernick to join ~ubuntu-security. Kyle has demonstrated a great technical expertise when working on rather complicated backports, and has done a great job at identifying issues in our tooling and fixing them. Having mentored Kyle personally, I have no doubt that he will be a great addition to the team. Looking forward to seeing you in Madrid as well!

ej7367 · May 4, 2026, 5:51pm

Since joining the team, @kkernick has consistently delivered high-quality security updates, navigating several tricky backporting and testing scenarios. He has also made significant contributions to improve our team’s internal tooling. +1 from me!

elisehdy · May 5, 2026, 12:14am

This is a +1 from me to support @kkernick joining ~ubuntu-security. He has shown a clear understanding and talent in tackling the complex issues you can face when patching. In addition, he has made significant contributions to our tooling and internal projects. Excited to have him on the team!

bruce-cable · May 5, 2026, 12:38am

+1 for me, @kkernick has worked on a variety of complex backports and demonstrated their skill in package updates. Also great work adding to QRT scripts to prevent regressions in future updates!

sarnold · May 5, 2026, 12:40am

+1 for me for @kkernick to join ~ubuntu-security. He’s taken on increasingly challenging tasks and throughout asked great questions – and keeps an eye on making changes to tools that need changes.

ebarretto · May 5, 2026, 7:19am

+1 for me
Kyle put a lot of hard work and took on those challenges with patience and showing lots of skills and thoughts into it. Looking forward to see what comes next!

ebarretto · May 12, 2026, 11:09am

Thank you @kkernick for your application, and thank you to everyone who gave feedback on the application. Voting is now closed.

The following votes were cast by existing Ubuntu Security members:

@hlibk +1
@ej7367 +1
@elisehdy +1
@bruce-cable +1
@sarnold +1
@ebarretto +1

The application is approved with a balance of 6 affirmative votes making up 100% of the total votes cast.

Congratulations and welcome Kyle! I have added you to the Ubuntu Security team, please exercise caution with your new rights.

Thanks,
Eduardo