Hello everyone!
I am requesting membership to ~ubuntu-security. The information requested in the spec is listed below:
Team Memberships
I am currently a member of the following teams:
- Canonical - Joined on 2024-03-11
- Canonical Security Team - Joined on 2024-03-11
- Ubuntu Security Apprentices - Joined on 2024-04-29
- SOSS Security Team - Joined on 2024-05-28
Verified Identity
My identity was verified through the general Canonical employee onboarding process, which includes a background check, and verification of my government issued identity documentation.
I have also attended the Canonical Engineering Sprint in May 2024, where during a PGP key signing party, several members of the Ubuntu Security team were able to verify my identity.
My PGP signed “Ubuntu Codes of Conduct” is attached to my Launchpad account, and available here: https://launchpad.net/~sayun/+codesofconduct
History of high-quality sponsored security updates
Listed below is a sampling of USNs that I have published after patching their associated CVEs:
- Apache Maven Shared Utils - USN-6730-1
- gerbv - USN-6760-1
- ghostscript - USN-6835-1
- python-aiohttp - USN-6991-1
- Ubuntu Advantage Desktop Daemon - USN-7063-1
- Some of these, like the Apache Maven Shared Utils and python-aiohttp, proved to be challenging to test as they involved testing through their respective build systems. Getting to a point where the changes could actually be tested involved going through multiple layers of the build/test process. Debugging the test in python-aiohttp required going into a chroot after a build and running tests from within.
- The gerbv patch involved working with a file format that I had no prior experience with. Being able to prove the effectiveness of the fix involved learning about the RS-274X and crafting an input that would cause the issue to occur. It was also my first time debugging a GUI application.
- The ghostscript patches gave me an opportunity to work with QRT. The test involved using QRT to compile a sample C shared object for use in triggering the vulnerability.
- The Ubuntu Advantage Desktop Daemon update was also a learning experience. This particular package needed to be included in main for versions that would normally be ESM. i.e. In order to get the fix, one needed to go through the process of turning on Ubuntu Pro, which would have been a vulnerable code path without the fix already in place. Putting the patched version in main would allow this to be mitigated prior to turning on Ubuntu Pro.
Demonstrated understanding of required tools and systems
I have worked with UCT and QRT as a part of my CVE patching process, example merge requests are listed below:
https://code.launchpad.net/~sayun/ubuntu-cve-tracker/+git/UCT/+merge/467643
https://code.launchpad.net/~sayun/ubuntu-cve-tracker/+git/UCT/+merge/472712
https://code.launchpad.net/~sayun/qa-regression-testing/+git/qa-regression-testing/+merge/468446
https://code.launchpad.net/~sayun/qa-regression-testing/+git/qa-regression-testing/+merge/463639
Additionally, I am making continued contributions in documentation and process improvements. I have made dozens of edits to the Ubuntu Wiki, especially around the process of creating build environments.
Thank you!